Dissecting new AppleSeed backdoor of Kimsuky threat actor

Telsy analyzed the cyber espionage group known as Kimsuky in a particular spear phishing campaign.



The Telsy Threat Intelligence team trackings various threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime.

The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe.

Kimsuky uses various spear phishing and social engineering methods to obtain Initial Access to victim networks. Spear phishing with a malicious attachment embedded in the email is the most observed Kimsuky tactic.

The structure of the last dropped file (AppleSeed backdoor) and TTPs used in these recent activities align with what has been reported in Malwarebytes’s report ad exception of the communication method, that in this case is the public e-mail server “daum.net”.

In fact, this version of AppleSeed backdoor has several similarities with the one reported in the Malwarebytes report:

– it uses the same persistence method, creating the registry key named “EstsoftAutoUpdate”;

– the activation of the modules happens creating the following files, FolderMonitor, KeyboardMonitor, ScreenMonitor, UsbMonitor, in the directory “C:\ProgramData\Software\ESTsoft\Common\flags” with written inside “Flag”;

– uses RC4 for data encryption and decryption, the RC4 key is generated as an MD5 hash of a randomly generated 117-byte buffer. The 117-byte buffer created is encrypted using the RSA algorithm and is sent to the sever along with the data encrypted with RC4.

The use of a public mail server, as a communication method for Command and Control, was partially described by Securlist.

In this version, analyzed by Telsy, there are some differences both in the way of sending and receiving mails, since the embedded library “Curl” is used and not the WinInet API, and in the functionality of receiving commands.


Fill the form below to download the full report

[email-download download_id=”5654” contact_form_id=”4482”]


Check other cyber reports on our blog.

This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.