Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed
2023-12-28 • Ahnlab •
AhnLab analyzes Kimsuky's continued use of AppleSeed in spear-phishing operations against South Korean and other targets in defense, media, diplomacy, government, and academia. Recent intrusions still distribute AppleSeed through JavaScript droppers, malicious documents, or Excel macros, but newer AppleSeed DLLs add Regsvr32 execution-argument checks that prevent standalone sandbox execution and delete themselves when the argument is wrong. The report also tracks AlphaSeed, a Golang AppleSeed-like variant that communicates through ChromeDP and email protocols, sometimes deployed alongside AppleSeed after certutil-based installation. Post-compromise tooling includes Meterpreter, customized TightVNC, TinyNuke/HVNC variants, RDP abuse, and Chrome Remote Desktop, showing Kimsuky's emphasis on persistent remote control and information theft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e582bd909800e87952eb1f206a279e47 | 2023-12-22 | 2024-06-11 |
| HASH | 232046aff635f1a5d81e415ef64649b7 | 2023-12-22 | 2024-06-11 |
| IPv4 | 104.168.145.83 | 2023-12-22 | 2024-06-11 |
| IPv4 | 38.110.1.69 | 2023-12-22 | 2024-06-11 |
| HASH | 4511e57ae1eacdf1c2922bf1a94bfb8d | 2023-12-22 | 2023-12-28 |
| HASH | b6ab96dc4778c6704b6def5db448a020 | 2023-12-22 | 2023-12-28 |
| HASH | f3a55d49562e41c7d339fb52457513ba | 2023-12-22 | 2023-12-28 |
| HASH | ae9593c0c80e55ff49c28e28bf8bc887 | 2023-12-22 | 2023-12-28 |
| HASH | ee76638004c68cfc34ff1fea2a7565a7 | 2023-12-22 | 2023-12-28 |
| HASH | d94c6323c3f77965451c0b7ebeb32e13 | 2023-12-22 | 2023-12-28 |
| HASH | e34669d56a13d607da1f76618eb4b27e | 2023-12-22 | 2023-12-28 |
| HASH | b5d3e0c3c470d2d41967229e17259c87 | 2023-12-22 | 2023-12-28 |
| HASH | 52ff761212eeaadcd3a95a1f8cce4030 | 2023-12-22 | 2023-12-28 |
| HASH | db5fc5cf50f8c1e19141eb238e57658c | 2023-12-22 | 2023-12-28 |
| HASH | ac99b5c1d66b5f0ddb4423c627ca8333 | 2023-12-22 | 2023-12-28 |
| HASH | 76831271eb117b77a57869c80bfd6ba6 | 2023-12-22 | 2023-12-28 |
| HASH | 58fafabd6ae8360c9d604cd314a27159 | 2023-12-22 | 2023-12-28 |
| HASH | 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf | 2023-12-22 | 2023-12-28 |
| HASH | 153383634ee35b7db6ab59cde68bf526 | 2023-12-22 | 2023-12-28 |
| HASH | cafc26b215550521a12b38de38fa802b | 2023-12-22 | 2023-12-28 |
| HASH | 02843206001cd952472abf5ae2b981b2 | 2023-12-22 | 2023-12-28 |
| HASH | cacf04cd560b70eaaf0e75f3da9a5e8f | 2023-12-22 | 2023-12-28 |
| HASH | 0cce02d2d835a996ad5dfc0406b44b01 | 2023-12-22 | 2023-12-28 |
| HASH | c560d3371a16ef17dd79412f6ea99d3a | 2023-12-22 | 2023-12-28 |
| HASH | 5d3ab2baacf2ad986ed7542eeabf3dab | 2023-12-22 | 2023-12-28 |
| HASH | 7a7937f8d4dcb335e96db05b2fb64a1b | 2023-12-22 | 2023-12-28 |
| HASH | d4ad31f316dc4ca0e7170109174827cf | 2023-12-22 | 2023-12-28 |
| HASH | b6f17d59f38aba69d6da55ce36406729 | 2023-12-22 | 2023-12-28 |
| HASH | 4cb843f2a5b6ed7e806c69e6c25a1025 | 2023-12-22 | 2023-12-28 |
| HASH | 6a968fd1608bca7255c329a0701dbf58 | 2023-12-22 | 2023-12-28 |
| HASH | 8aeacd58d371f57774e63d217b6b6f98 | 2023-12-22 | 2023-12-28 |
| URL | http://yes24.r-e.kr/aha/ | 2023-12-22 | 2023-12-28 |
| URL | http://nobtwoseb1.n-e.kr// | 2023-12-22 | 2023-12-28 |
| URL | http://bitburny.kro.kr/aha/ | 2023-12-22 | 2023-12-28 |
| URL | http://update.ahnlaib.kro.kr/ah… | 2023-12-22 | 2023-12-28 |
| URL | http://update.onedrive.p-e.kr/a… | 2023-12-22 | 2023-12-28 |
| URL | http://doma2.o-r.kr// | 2023-12-22 | 2023-12-28 |
| URL | http://octseven1.p-e.kr// | 2023-12-22 | 2023-12-28 |
| URL | http://bitthum.kro.kr/hu/ | 2023-12-22 | 2023-12-28 |
| URL | http://update.doumi.kro.kr/aha/ | 2023-12-22 | 2023-12-28 |
| URL | http://tehyeran1.r-e.kr// | 2023-12-22 | 2023-12-28 |
| URL | http://my.topton.r-e.kr/address/ | 2023-12-22 | 2023-12-28 |
| DOMAIN | yes24.r-e.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | update.ahnlaib.kro.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | nobtwoseb1.n-e.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | doma2.o-r.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | update.doumi.kro.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | update.onedrive.p-e.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | octseven1.p-e.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | bitburny.kro.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | tehyeran1.r-e.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | bitthum.kro.kr | 2023-12-22 | 2023-12-28 |
| DOMAIN | my.topton.r-e.kr | 2023-12-22 | 2023-12-28 |
| IPv4 | 159.100.6.137 | 2023-12-22 | 2023-12-28 |
| IPv4 | 45.114.129.138 | 2023-12-22 | 2023-12-28 |
| IPv4 | 107.148.71.88 | 2023-12-22 | 2023-12-28 |