Analysis_ReportOperation_Kabar_Cobra.pdf (6 MB)

AhnLab attributes Operation Kabar Cobra to activity suspected of being linked to Kimsuky, including January 2019 malware sent to Ministry of Unification reporters and other recent targeting of military, media, finance, cryptocurrency, and related sectors. The attacks used files disguised as Hangul documents with double extensions and long spaces, often packed as WinRAR SFX archives containing decoy HWP/PDF content and malicious WSF scripts. The scripts retrieved C2 configuration from the attacker’s Google Drive, downloaded additional malware such as Freedom.dll/AhnLabMon.dll and list.dll/Cobra.dll, and supported command execution, file transfer, updates, and log transmission with Base64-encoded C2 traffic. Cobra.dll collected drive, hardware, folder, and file-list information and sent it to C2, enabling data theft from real targets or anti-analysis actions when the attacker recognized a research environment. The report is important because it documents Kimsuky-linked adaptation around the U.S.–North Korea summit period and shows flexible C2 management, targeted decoys, and hands-on operator commands.