This blog post was authored by Hossein Jazi.

The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.

The Malwarebytes Threat Intelligence team is actively monitoring this actor and has been able to spot phishing websites, malicious documents, and scripts that have been used to target high profile people within the government of South Korea. The structure and TTPs used in these recent activities align with what has been reported in KISA’s report.


One of the lures used by Kimsuky named “외교부 가판 2021-05-07” in Korean language translates to “Ministry of Foreign Affairs Edition 2021-05-07” which indicates that it has been designed to target the Ministry of Foreign Affairs of South Korea. According to our collected data, we have identified that it is one entity of high interest for Kimsuky. Other targets associated with the Korean government include:

  • Ministry of Foreign Affairs, Republic of Korea 1st Secretary
  • Ministry of Foreign Affairs, Republic of Korea 2nd Secretary
  • Trade Minister
  • Deputy Consul General at Korean Consulate General in Hong Kong
  • International Atomic Energy Agency (IAEA) Nuclear Security Officer
  • Ambassador of the Embassy of Sri Lanka to the State
  • Ministry of Foreign Affairs and Trade counselor

Beside targeting government, we also have observed that Kimsuky collected information about universities and companies in South Korea including the Seoul National University and Daishin financial security company as well as KISA. This does not mean the threat actors actively targeted them yet nor that they were compromised.

Phishing Infrastructure

The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes.

As an example, they have added the Mobile_detect and Anti_IPs modules from type B to type C (KISA report) in order to be able to detect mobile devices and adjust the view based on that. This phishing model has the capability to show phishing pages in English or Korean based on the parameter value received from the phishing email. This model has been deployed by Kimsuky to target not only Korean speaking victims but also English speaking people, as well.

Figure 1: Phishing service model

We have observed that they developed different phishing techniques to mimic the following web services and steal credentials:

  • Gmail
  • Hotmail
  • Microsoft Outlook
  • Nate
  • Daum
  • Naver
  • Telegram
  • KISA
Figure 2: Nate phishing page developed by Kimsuky APT

We have identified several URLs used by Kimsuky to host their phishing infrastructure:


The group has used Twitter accounts to find and monitor its targets to prepare well crafted spear phishing emails. The group also is using Gmail accounts to use for phishing attacks or registering domains. One of the Gmail accounts used by this actor is ” tjkim1991@gmail[.]com” which was used to register the following domains:[.]us[.]us

They were registered on April 3 and we believe have been reserved to be used for future campaigns. Pivoting from these domains, we were able to uncover the infrastructure used by this actor. Some of it has overlap with previously reported campaigns operated by Kimsuky.

Figure 3: Infrastructure pivoting

Command and Control infrastructure

Kimsuky reuses some of its phishing infrastructure for its command and control communications. In their most recent attack against South Korea’s government they reused the infrastructure that has been used to host their phishing websites for AppleSeed backdoor C&C communications. Besides using the AppleSeed backdoor to target Windows users, the actor also has used an Android backdoor to target Android users. The Android backdoor can be considered as the mobile variant of the AppleSeed backdoor. It uses the same command patterns as the Windows one. Also, both Android and Windows backdoors have used the same infrastructure. It is also interesting to mention that this actor calls themselves Thallium.

Figure 4: C2 infrastructure

Here are some of IPs and domains used by the actor for C2 communications:


Analysis of the most recent AppleSeed attack

In this section we provide an analysis of the AppleSeed backdoor that has been used to target the Ministry of the Foreign Affairs of South Korea.

Initial Access

The actor has distributed its dropper embedded in an archive file (외교부 가판 as an attachment through spearphishing emails. The target email addresses have been collected using the actor email phishing campaigns we described in the previous section. The actor conducted this spearphishing attack on May 7, 2021.

The archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice).

At first it uses the MSXML Base64 decoding functionality to decode the first layer and then uses certutil.exe to decode the second layer and get the final ApppleSeed payload. The decoy PDF file has been decoded using the MSXML Base64 decoding function.

Figure 5: JS dropper

After decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the end, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through PowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically calls the DLL export function that has been named DllRegisterServer.

powershell.exe -windowstyle hidden regsvr32.exe /s AppleSeed_Payload

AppleSeed Backdoor

The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. The encrypted version of the strings and API calls are in hex ASCII format. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it.

The first function “string_decryptor_prep” gets the encrypted string and then prepares a custom data structure that has four elements:

typedef struct _UNICODESTR {
	wchar_t *Buffer; // Encrypted string 
	DWORD padding;
	uint64_t Length; // Length of the string
	uint64_t MaxLength; // Max length for the string which has been calculated based on the lenght

The second function “string_decryptor” gets the created data structure in the previous function and then decrypts the string and puts it in the same data structure.

Figure 6: String decryptor function

The decryptor function first convert the input string in hex ascii format to binary by calling the hexascii_to_binary function on each two ascii characters (i.e. c3, 42, b1, 1d… in example 1). The first 16 bytes of in the input is then used as the key and the remainder is the actual value that gets decrypted in 16 byte chunks (i.e. ed, d5, 0d, 60).
Decryption is a simple xor operation of key[i] ^ string[i-1] ^ string[i] (For the first character string_to_be_decrypted[i-1] is set to zero).

Figure 7: String decoder example

Most of the important API calls resolve dynamically during the run time using “string_decryptor” function. (288 API calls have been resolved dynamically.)

Figure 8: Resolve API calls

The AppleSeed payload has an export function named “DllRegisterServer” which will be called when the DLL is executed using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL initialization and setup that includes the following steps:

  • Copy itself into “C:\ProgramData\Software\ESTsoft\Common” and rename itself as ESTCommon.dll to pretend it is a DLL that belongs to ESTsecurity company.
  • Make itself persistent by creating the following registry key:
Registry key name: EstsoftAutoUpdate
Registry key value: Regsvr32.exe /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Registry location: HKLU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Figure 9: Registry creation
  • Functionality activation by creating the following files into “C:\ProgramData\Software\ESTsoft\Common\flags” directory and writes “flag” into them: FolderMonitor, KeyboardMonitor, ScreenMonitor, UsbMonitor.

In the next step it creates a Mutex to make sure it only infects a victim once.

Figure 10: Mutex creation

After creating that mutex, it checks if the current process has the right access privilege by calling GetTokenInformation API call and if it does not have the right privilege, it tries to escalate its privilege using AdjustTokenPrivilege by passing SeDebugPrivilege to it to gain system level privilege.

Figure 11: Privilege escalation

At the end it performs its main functionalities in separate threads. All the the collected data in each thread is being zipped and encrypted and is being sent to the command and control server using HTTP POST requests in a separate thread. After sending the data to the server, the data is deleted from the victim’s machine.
The ApppleSeed payload is using RC4 for encryption and decryption of the data. To generate RC4 key, it creates a Random buffer of 117 bytes by Calling CryptGenRandom and then uses CryptCreateHash and CryptHashData to adds the buffer into a MD5 hash object. Then it calls CryptDeriveKey to generate the RC4 key.
The created 117 bytes buffer is encrypted using RSA algorithm and is sent to the sever along with RC4 encrypted data. The RSA key is in hex ASCII format and has been decrypted using “string_decryptor” function.

Input Capture (KeyLogger)

The keylogger function uses GetKeyState and GetKeyboardState to capture the pressed keys on the victim’s machine and logs all keys per process into the log.txt file.

Figure 12: KeyLogger

Screen Capture

This module takes screenshots by calling the following sequence of API calls and writes them to files: GetDesktopWindow, GetDC, CreateCompstibleDC, CreateCompatibleBitmap, Bitblt and GetDIBits and then writes them into a file using CreateFileW and WriteFile.

Figure 13: Capture Screen

Collect removable media data

This module finds the removable media devices connected to the machine and collects its data before sending it to the command and control server. To identify a USB drive it calls CM_Get_Device_IDW to retrieve the device instance ID that would be in format “<device-ID>\<instance-specific-ID>” and then checks if it contains USB string value.

Figure 14: Get removable devices

Collect files

This thread looks for txt, ppt, hwp, pdf, and doc files in the Desktop, Documents, Downloads and AppData\Local\Microsoft\Windows\INetCache\IE directories and archives them to be ready to be exfiltrated to the server.

Figure 15: File collection

Command structure

The AppleSeed backdoor is using a two layer command structure to communicate to its command and control server. Here is the URL pattern used for C&C communications:

entity:url url:?m=[command layer one]&p1=[volume serial number]&p2=[command layer two]

Command layer one defines the type of command that server expected to be executed on the victim and it can have one of the following values:

aping mode (Collect victim info including IP, Time stamp, victim OS version)
bupload data mode
cDownload command (Waiting for command)
dDelete command
eUpload command mode
fList directories mode
gDelete file mode
hCheck existence of a file mode
Command Layer one

Command layer 2 is only for when the command layer 1 is in upload data mode (c) and defines the type of upload. It can have one of the following values:

aUpload command execution results
bUpload files and removable media data
cUpload screenshots
dUpload input capture data (Keylogger data)
Command layer 2


Kimsuky is one of North Korea’s threat actors that has mainly targeted South Korean government entities. In this blog post we took a look at this group’s activities including its phishing infrastructure and command and control mechanisms. Our research has shown that the group is still using a similar infrastructure and TTPs as reported on December 2020 by KISA. Its most recent campaign targeted the ministry of foreign affairs using the Apple Seed backdoor.

MITRE ATT&CK Techniques

ReconnaissanceT1598Phishing for InformationUse phishing to collect email addresses for targeted attack
Resource DevelopmentT1583.00Acquire Infrastructure: DomainsPurchase and register domains a few month before the attack
Resource DevelopmentT1587.001Develop Capabilities: MalwareDevelop AppleSeed backdoor for the attack
Resource DevelopmentT1585.002Establish Accounts: Email AccountsCreate email accounts to register domains and use in phishing attacks
Resource DevelopmentT1585.001Establish Accounts: Social Media AccountsUse Twitter to collect info about victims
Initial AccessT1566.001Phishing: Spearphishing AttachmentDistributing archive files that contains JS dropper through phishing emails
ExecutionT1059.001Command and Scripting Interpreter: PowerShellUse PowerShell to execute commands
ExecutionT1059.007Command and Scripting Interpreter: JavaScriptUse JS to execute PowerShell
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderCreate Registry RunOnce key
Privilege EscalationT1134Access Token ManipulationAdjust its token privileges to have the SeDebugPrivilege
Defense Evasion T1134Access Token ManipulationAdjust its token privileges to have the SeDebugPrivilege
Defense EvasionT1140Deobfuscate/Decode Files or Information– Use the command certutil to decode base64 contents
– Decrypt data coming from Server
Defense EvasionT1070.004Indicator Removal on Host: File DeletionDelete its exfiltrated data to cover its tracks
Defense EvasionT1112Modify Registry modify the Run registry key
Defense EvasionT1027Obfuscated Files or Information– All the strings and API calls are obfuscated using custom encryption
– The dropped payload is packed with UPX
Defense EvasionT1218.010Signed Binary Proxy Execution: Regsvr32Load payload through Regsvr32
Credential AccessT1056.001Input Capture: KeyloggingLog keystrokes on the victim’s machine
DiscoveryT1083File and Directory DiscoveryObtain file and directory listings
DiscoveryT1082System Information DiscoveryCollect OS type and volume serial number
CollectionT1560Archive Collected DataCompress and encrypt collected data prior to exfiltration
CollectionT1005Data from Local SystemCollect data from local system
CollectionT1025Data from Removable MediaCollect data from removable media
CollectionT1056.001Input Capture: KeyloggingLog keystrokes on the victim’s machine
CollectionT1113Screen CaptureCapture screenshots
Command and ControlT1001Data ObfuscationEncrypt data for exfiltration
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsUse HTTP for command and control communication
ExfiltrationT1041Exfiltration Over C2 ChannelExfiltrate data over the same channel used for C2