Springtail APT group abuses valid certificate of known Korean public entity

2024-03-21 • Symantec •

https://www.broadcom.com/support/security-center/protection-bulletin/springtail-apt-group-abuses-valid-certificate-of-known-korean-public-entity

#Springtail

Symantec reports that Springtail, also known as Kimsuky, distributed dropper malware disguised as an application from a known Korean public entity. The source says the operation abused a valid certificate and installed the Endoor backdoor after compromise. Endoor gives the attackers a foothold for collecting sensitive information from victims or deploying additional malware, with Symantec detections and WebPulse coverage listed for protection.

Related Actors

Springtail

Symantec

Kimsuky

First seen: Mar 2024

Last seen: May 2026

Related Reports

2024-03-20 • 90% Match

New DEEP#GOSU campaign attributed to Springtail APT (aka Kimsuky)

Symantec

#Springtail

Shares tag: Springtail • Same author: Symantec • Published within a week

2024-05-16 • 80% Match

Springtail: New Linux Backdoor Added to Toolkit

Symantec

#TrollStealer #GoBear #Gomir #Springtail

Shares tag: Springtail • Same author: Symantec

2025-04-07 • 70% Match

Springtail APT group targets South Korean government entities

Symantec

#LNK #Springtail

Shares tag: Springtail • Same author: Symantec

2026-05-14 • 60% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tag: Springtail

« Back