{ "type": "bundle", "id": "bundle--f8f85f6d-ad91-4401-9945-a373a86f77d3", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--71d15b83-cb66-4a14-9309-1ec8fed62b20", "created": "2023-03-08T12:51:56.744933Z", "modified": "2023-03-08T12:51:56.745014Z", "name": "Yoroi", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f2042cc9-1093-4194-9621-993f61f93ce9", "created": "2026-06-24T22:31:31.069877Z", "modified": "2026-06-24T22:31:31.069877Z", "name": "YARA Rule", "pattern": "rule injectedDLL { meta: description = \"Yara rule for the injected DLL\" author = \"Yoroi - ZLab\" last_updated = \"2020-03-02\" tlp = \"white\" category = \"informational\" strings: $a1 = {41 80 3E 5E 89 45 A4 75 08 49} $a2 = {60 03 50 02 30 58 68 01 00 70} $a3 = {98 F7 02 00 7B 44 00 00 91 44} $a4 = \"/?m=b&p1=\" $a5 = \"&p2=b\" $a6 = \"/?m=a&p1=\" $a7 = \"AUAVAWH\" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }", "pattern_type": "yara", "valid_from": "2020-03-03T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ba986ada-2f3d-4edb-af31-b43ec7cfa7b0", "created": "2026-06-24T22:31:31.070679Z", "modified": "2026-06-24T22:31:31.070679Z", "name": "YARA Rule", "pattern": "rule AutoUpdate_dll { meta: description = \"Yara rule for the AutoUpdate_dll\" author = \"Yoroi - ZLab\" last_updated = \"2020-03-02\" tlp = \"white\" category = \"informational\" strings: $a1 = {48 8B 3F 48 83 78 18 10 72} $a2 = {36 42 35 45 35 41 42 33 42 41 39} $a3 = { DD E7 FE DA C6 F7 F9 8D 7D F9 } $a4 = \"1#SNAN\" $a5 = \"d$4D9L$t\" $a6 = \"DllRegisterServer\" $a7 = \"DllUnregisterServer\" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }", "pattern_type": "yara", "valid_from": "2020-03-03T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--12b49990-88de-48d3-83ff-e9523969ea3e", "created": "2026-06-24T22:31:31.071279Z", "modified": "2026-06-24T22:31:31.071279Z", "name": "YARA Rule", "pattern": "rule loader { meta: description = \"Yara rule for the initial loader SRC\" author = \"Yoroi - ZLab\" last_updated = \"2020-03-02\" tlp = \"white\" category = \"informational\" strings: $a1 = \" goto Repeat1\" $a2 = {84 58 43 F4 39 1B 96 32 E4 2D 63} $a3 = {89 04 4D 30 7A 05 10 41 EB E8 8B} $a4 = {80 A1 B2 F7 15 DE F0 7E 35 75} $a5 = {9C 0E 57 4C 77 B1 0E 06 08 5E} condition: uint16(0) == 0x5A4D and pe.number_of_sections == 5 and 3 of ($a*) }", "pattern_type": "yara", "valid_from": "2020-03-03T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--61e23d78-1954-4301-9c0b-15756ef32769", "hashes": { "SHA-256": "817ef0d9d3584977d1114b7e92012b653d339434a90967cbe8016899801f3751" } }, { "type": "file", "spec_version": "2.1", "id": "file--48bbeb83-2d40-40e4-9dc0-0aced38205d1", "hashes": { "SHA-256": "757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f" } }, { "type": "file", "spec_version": "2.1", "id": "file--a7202224-5ea6-403c-839e-1959600231a3", "hashes": { "SHA-256": "caa24c46089c8953b2a5465457a6c202ecfa83abbce7a9d3299ade52ec8382c2" } }, { "type": "file", "spec_version": "2.1", "id": "file--7936c78a-2317-48c1-8e9d-5b78b6ec6fb6", "hashes": { "SHA-256": "bbad65136d73cbd5262bc88571677b5434ceb54fc1103f2133757dae2ec4b47b" } }, { "type": "file", "spec_version": "2.1", "id": "file--b7979afb-88d6-4055-9741-b82255f03fa0", "hashes": { "SHA-256": "d21523b7b8f6584305a0a6a83cd65c8ce0777a42ab781c35aa06c46c91f504b4" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T22:31:31.076678Z", "modified": "2026-06-24T22:31:31.076678Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--eea8f6a2-f17e-4319-9758-daec7d1437aa", "created_by_ref": "identity--71d15b83-cb66-4a14-9309-1ec8fed62b20", "created": "2026-06-24T22:31:31.077699Z", "modified": "2026-06-24T22:31:31.077699Z", "name": "The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs", "published": "2020-03-03T00:00:00Z", "object_refs": [ "identity--71d15b83-cb66-4a14-9309-1ec8fed62b20", "indicator--f2042cc9-1093-4194-9621-993f61f93ce9", "indicator--ba986ada-2f3d-4edb-af31-b43ec7cfa7b0", "indicator--12b49990-88de-48d3-83ff-e9523969ea3e", "file--61e23d78-1954-4301-9c0b-15756ef32769", "file--48bbeb83-2d40-40e4-9dc0-0aced38205d1", "file--a7202224-5ea6-403c-839e-1959600231a3", "file--7936c78a-2317-48c1-8e9d-5b78b6ec6fb6", "file--b7979afb-88d6-4055-9741-b82255f03fa0", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/" } ] } ] }