Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
2024-09-26 • Paloalto Networks •
https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/
The North Korean APT group Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) is known for its sophisticated cyberespionage operations and advanced spear phishing attacks. The threat actor delivered the PowerShell keylogger, which an earlier report by ASEC also mentioned, in a spear phishing campaign targeting South Korean users. Sparkling Pisces is also known for its complex and constantly evolving infrastructure, which overlaps between multiple malware strains and campaigns. One of the malware samples, KLogEXE, was found by tracking the infrastructure that the group used as the command and control (C2) of a PowerShell keylogger that the JPCERT documented.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 152.32.138.167 | 2024-09-26 | 2026-06-01 |
| HASH | 990b7eec4e0d9a22ec0b5c82df535cf… | 2024-09-26 | 2024-09-26 |
| HASH | c69cd6a9a09405ae5a60acba2f9770c… | 2024-09-26 | 2024-09-26 |
| HASH | faf666019333f4515f241c1d3fcfc25… | 2024-09-26 | 2024-09-26 |
| HASH | 2e768cee1c89ad5fc89be9df5061110… | 2024-09-26 | 2024-09-26 |
| HASH | a173a425d17b6f2362eca3c8ea4de98… | 2024-09-26 | 2024-09-26 |
| URL | http://mail.apollo-page.r-e.kr/… | 2024-09-26 | 2024-09-26 |
| URL | http://mail.apollo-page.r-e.kr/… | 2024-09-26 | 2024-09-26 |
| URL | https://nidlogin.apollo.r-e.kr/… | 2024-09-26 | 2024-09-26 |
| DOMAIN | nidlogin.apollo.r-e.kr | 2024-09-26 | 2024-09-26 |
| DOMAIN | bitjoker2024.000webhostapp.com | 2024-09-26 | 2024-09-26 |
| DOMAIN | mail.apollo-page.r-e.kr | 2024-09-26 | 2024-09-26 |