{ "type": "bundle", "id": "bundle--d0bd79e2-485b-4fb6-a4af-31064a2eba9f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "created": "2026-04-13T05:27:30.708162Z", "modified": "2026-04-22T01:03:40.519059Z", "name": "BreakGlassIntelligence", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--fda9e16e-39d7-413f-a92c-48d0adeac45d", "hashes": { "SHA-256": "d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b" } }, { "type": "file", "spec_version": "2.1", "id": "file--71d4a92b-2fbe-4c7a-80d9-fa81b129ab1a", "hashes": { "SHA-256": "af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f" } }, { "type": "file", "spec_version": "2.1", "id": "file--2b8b1db8-a5c4-47e7-aafa-7f4f3f6d610c", "hashes": { "SHA-256": "85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8" } }, { "type": "file", "spec_version": "2.1", "id": "file--5f3a998a-b12a-458a-b64b-71e228f6ac6e", "hashes": { "SHA-256": "a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922" } }, { "type": "file", "spec_version": "2.1", "id": "file--4ee135f9-30fb-4f11-b394-5d521d1633e9", "hashes": { "MD5": "0ac44ad9cfbc58ed76415f7bc79239f9" } }, { "type": "file", "spec_version": "2.1", "id": "file--cb0a79dc-07a2-47e1-b44a-7963fee27100", "hashes": { "SHA-256": "1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793" } }, { "type": "url", "spec_version": "2.1", "id": "url--efd3f77a-2cfd-4976-b7f7-7d56b4690634", "value": "http://check.nid-log.com/api/finalservice.php" }, { "type": "url", "spec_version": "2.1", "id": "url--3120d0ca-7813-44ed-b213-ab32775576b3", "value": "http://check.nid-log.com/api/bootservice.php" }, { "type": "url", "spec_version": "2.1", "id": "url--3a9b7c71-7304-4a8d-98f6-f48536a59eb1", "value": "http://check.nid-log.com/api/checkservice.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--676a1455-397b-433c-9313-0b7e34813c56", "value": "verify.efine-log.kro.kr" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c60215d6-55dc-44cc-8828-1cae3862b2bd", "value": "udalyonka.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--6e757a04-c1d4-4fb4-ab95-ed065ac945fe", "value": "nid-htl.duckdns.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a440ded0-b0fe-4f06-a21f-0ef13e7fea5f", "value": "nid-log.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--3d35e654-e604-4ee8-b02d-b027e25a5639", "value": "chk.uncork.biz" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--45805335-4f66-42dc-bb85-f675a6b00ef7", "value": "nid-navertca.servehalflife.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a090db58-1c42-4213-b2c5-88eee79a7ae8", "value": "nid-naverpep.servequake.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--61bec915-044c-42aa-aa24-2d6074c8d935", "value": "nid-naverfxc.servecounterstrike.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--bd282170-9983-429c-ae88-554abd0bb6dd", "value": "uncork.biz" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--895737f5-7398-44af-90f4-c812a3228fb5", "value": "nid-navercwu.servecounterstrike.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--bb6c2cbb-dba7-4635-9e0c-d5d51ca3fbc8", "value": "27.102.137.38" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--503b767c-4acf-47e9-91bc-112319f6471d", "value": "38.60.220.135" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--bec21ce9-bbca-44de-a61b-abb715fcc1dc", "value": "27.102.138.45" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--765df14f-7680-42c1-9cf1-60464e8dc26c", "value": "51.79.185.184" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--9d71e75b-d0b0-47b3-8f81-a82de69a6d96", "value": "130.94.29.111" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--f7114ad2-8010-4e56-bf4b-e8243c0596ab", "value": "27.102.137.150" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--cf97958b-28ca-4b9d-8f67-7c61175c2420", "value": "162.255.119.150" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--c6a79686-5a46-4d44-9d54-ecea59c4fee6", "value": "118.194.249.109" }, { "type": "file", "spec_version": "2.1", "id": "file--db5d8d55-587f-447a-9416-ed1666719260", "hashes": { "MD5": "4599ac1bbe483c73064df1353feafd01" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ab9de92d-fa15-492c-99d5-8829a0b46c94", "created": "2026-06-24T22:22:20.582978Z", "modified": "2026-06-24T22:22:20.582978Z", "name": "YARA Rule", "pattern": "rule Kimsuky_Bootservice_CHM_Dropper {\r\nmeta:\r\ndescription = \"Kimsuky CHM dropper delivering VBS stager via bootservice.php C2\"\r\nauthor = \"GHOST - Breakglass Intelligence\"\r\ndate = \"2026-04-11\"\r\nreference = \"https://intel.breakglass.tech\"\r\nstrings:\r\n$c2_1 = \"bootservice.php\" ascii wide\r\n$c2_2 = \"checkservice.php\" ascii wide\r\n$c2_3 = \"finalservice.php\" ascii wide\r\n$c2_4 = \"loggerservice.php\" ascii wide\r\n$drop = \"Links\\\\Link\" ascii wide\r\n$ole = \"Microsoft.XMLHTTP\" ascii wide\r\n$persist = \"OfficeUpdater\" ascii wide\r\n$mutex = \"AlreadyRunning19122345\" ascii wide\r\n$ua_1 = \"Chremo/\" ascii wide\r\n$ua_2 = \"Edgo/\" ascii wide\r\ncondition:\r\nany of ($c2_*) and any of ($drop, $ole, $persist, $mutex, $ua_*)\r\n}", "pattern_type": "yara", "valid_from": "2026-04-11T00:00:00Z" }, { "type": "url", "spec_version": "2.1", "id": "url--46e18f12-09c7-46b3-a923-c8ae1782dd97", "value": "http://check.nid-log.com/api/bootservice.php?" }, { "type": "url", "spec_version": "2.1", "id": "url--92176652-2c86-4c5b-a790-8077efbd8c0f", "value": "http://check.nid-log.com/api" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--ca6f33ce-ab74-4aa7-985d-29de640dfcfc", "value": "withheldforprivacy.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T22:22:20.588953Z", "modified": "2026-06-24T22:22:20.588953Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--ceff0204-3c1b-4f02-abec-aa11f95b2f41", "created_by_ref": "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "created": "2026-06-24T22:22:20.617338Z", "modified": "2026-06-24T22:22:20.617338Z", "name": "We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "published": "2026-04-11T00:00:00Z", "object_refs": [ "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "file--fda9e16e-39d7-413f-a92c-48d0adeac45d", "file--71d4a92b-2fbe-4c7a-80d9-fa81b129ab1a", "file--2b8b1db8-a5c4-47e7-aafa-7f4f3f6d610c", "file--5f3a998a-b12a-458a-b64b-71e228f6ac6e", "file--4ee135f9-30fb-4f11-b394-5d521d1633e9", "file--cb0a79dc-07a2-47e1-b44a-7963fee27100", "url--efd3f77a-2cfd-4976-b7f7-7d56b4690634", "url--3120d0ca-7813-44ed-b213-ab32775576b3", "url--3a9b7c71-7304-4a8d-98f6-f48536a59eb1", "domain-name--676a1455-397b-433c-9313-0b7e34813c56", "domain-name--c60215d6-55dc-44cc-8828-1cae3862b2bd", "domain-name--6e757a04-c1d4-4fb4-ab95-ed065ac945fe", "domain-name--a440ded0-b0fe-4f06-a21f-0ef13e7fea5f", "domain-name--3d35e654-e604-4ee8-b02d-b027e25a5639", "domain-name--45805335-4f66-42dc-bb85-f675a6b00ef7", "domain-name--a090db58-1c42-4213-b2c5-88eee79a7ae8", "domain-name--61bec915-044c-42aa-aa24-2d6074c8d935", "domain-name--bd282170-9983-429c-ae88-554abd0bb6dd", "domain-name--895737f5-7398-44af-90f4-c812a3228fb5", "ipv4-addr--bb6c2cbb-dba7-4635-9e0c-d5d51ca3fbc8", "ipv4-addr--503b767c-4acf-47e9-91bc-112319f6471d", "ipv4-addr--bec21ce9-bbca-44de-a61b-abb715fcc1dc", "ipv4-addr--765df14f-7680-42c1-9cf1-60464e8dc26c", "ipv4-addr--9d71e75b-d0b0-47b3-8f81-a82de69a6d96", "ipv4-addr--f7114ad2-8010-4e56-bf4b-e8243c0596ab", "ipv4-addr--cf97958b-28ca-4b9d-8f67-7c61175c2420", "ipv4-addr--c6a79686-5a46-4d44-9d54-ecea59c4fee6", "file--db5d8d55-587f-447a-9416-ed1666719260", "indicator--ab9de92d-fa15-492c-99d5-8829a0b46c94", "url--46e18f12-09c7-46b3-a923-c8ae1782dd97", "url--92176652-2c86-4c5b-a790-8077efbd8c0f", "domain-name--ca6f33ce-ab74-4aa7-985d-29de640dfcfc", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" } ] } ] }