Full Report
Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster.
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
* **Actor Name:** Kimsuky
* **Known Aliases:** Velvet Chollima, Black Banshee, Thallium, TA406, Emerald Sleet.
* **Known Associations:** North Korean-linked Advanced Persistent Threat (APT) group, believed to be working under the Reconnaissance General Bureau (RGB).
* **Sub-clusters:** This report specifically highlights the connection between the **AppleSeed** malware cluster and the **PebbleDash** (a.k.a. NorthStar) cluster.
## Activity Summary
Recent campaigns observed by researchers show Kimsuky evolving its toolkit by introducing new PebbleDash-based variants. The actor continues to refine its "AppleSeed" ecosystem, which is characterized by multi-stage infection chains. The campaigns focus on maintaining persistence within high-value targets to exfiltrate intelligence. The discovery of a new specialized loader for PebbleDash indicates a shift toward more modular and stealthy deployment methods.
## Tactics, Techniques & Procedures
* **Initial Access:** Highly targeted spear-phishing emails containing malicious attachments or links to compromised websites.
* **Execution:** Use of malicious DLLs and ISO/VHD images to bypass security controls.
* **Persistence:** Establishing long-term access via registry modifications and scheduled tasks.
* **Defense Evasion:**
* Use of multi-staged loaders to decrypt and execute final payloads in memory.
* Packing and obfuscation of PebbleDash variants.
* **C2 Communication:** HTTP-based communication with dedicated command-and-control servers using custom encryption.
* **MITRE ATT&CK IDs (Inferred from TTPs):**
* T1566.001 (Phishing: Malicious Attachment)
* T1059.003 (Command and Scripting Interpreter: Windows Shell)
* T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
* T1071.001 (Application Layer Protocol: Web Protocols)
## Targeting
* **Sectors:** Foreign policy, national security, think tanks, academic institutions, and government entities.
* **Geography:** Primary focus on South Korea; additional interest in the United States, Japan, and European countries involved in North Korean affairs.
* **Victims:** Diplomatic staff, professors, and researchers specializing in Korean Peninsula geopolitics.
## Tools & Infrastructure
* **Malware Families:**
* **AppleSeed:** A sophisticated backdoor used for file exfiltration, keylogging, and screenshot capture.
* **PebbleDash:** A remote access trojan (RAT) with capabilities for arbitrary command execution and file management.
* **New Loaders:** Specialized PebbleDash-based tools used to pivot through internal networks.
* **Infrastructure:**
* `210.16.120[.]231`
* `45.13[.]135[.]103`
* `highnoon[.]my-site[.]hosting` (Defanged)
* `centerton[.]atwebpages[.]com` (Defanged)
* `security-update[.]at-host[.]net` (Defanged)
## Implications
Kimsuky remains a highly adaptive threat actor. The convergence of the AppleSeed and PebbleDash clusters suggests a consolidation of development resources or a coordination between different sub-units. The refinement of their toolkit implies a sustained focus on long-term espionage and data theft, posing a significant risk to geopolitical stability and intellectual property related to government policy.
## Mitigations
* **Email Security:** Implement advanced phishing protection and DMARC/SPF/DKIM verification to identify spoofed domains.
* **Endpoint Defense:** Deploy EDR solutions capable of detecting atypical DLL loading and unauthorized registry modifications.
* **Network Monitoring:** Block known C2 IPs and monitor for suspicious HTTP traffic to unusual hosting providers (e.g., free hosting sites used by the actor).
* **User Training:** Provide specialized training for high-value individuals (researchers/diplomats) on identifying sophisticated social engineering attempts.
* **Whitelisting:** Restrict the execution of ISO, VHD, and LNK files from external sources where not business-essential.