Keypoints
- South Korean users targeted through Facebook, email, and Telegram by Kimsuky group.
- Malicious files disguised as volunteer work for North Korean defectors to lure victims.
- Use of Korean-specific EGG compressed files and Base64 encoded malicious scripts to bypass security detection.
- The AppleSeed campaign is identified as the malware variant used in these attacks.
- Advanced persistent threat activities focus on defense, military, and pro-defector groups in South Korea.
- EDR and machine learning technologies enhance detection and threat hunting of the intrusion.
- Attackers use regsvr32 for silent execution and persistence through registry modifications.
MITRE Techniques
- [T1566] Phishing – Used Facebook messenger and email to lure victims into downloading malicious files disguised as volunteer activity (“Utilized Facebook and email to lure victims into downloading malicious files”).
- [T1071] Command and Control – Communicated with compromised systems via HTTP requests to the C2 server “woana.n-e[.]kr” (“Sent HTTP requests including encoded system data and received commands from the C2 server”).
- [T1203] Execution – Executed malicious scripts through encrypted JSE files that create DLL payloads (“Executed malicious scripts through the use of JSE files that drop and run malicious DLLs”).
- [T1003] Credential Dumping – Gathered sensitive information using system commands executed in command prompt via pipes (“Collected system information including token privileges to check UAC and admin status”).
- [T1486] Data Encrypted for Impact – Encrypted collected data using RC4 session keys and RSA public keys before transmitting to remote server (“Used RC4 and RSA encryption to secure stolen data prior to transmission”).
Indicators of Compromise
- [Domain] Command and control servers used for communication – afcafe.kro[.]kr, woana.n-e[.]kr
- [File hash] Malicious payload hashes associated with AppleSeed variants – 2f6fe22be1ed2a6ba42689747c9e18a0, 5a223c70b65c4d74fea98ba39bf5d127, and 25 more hashes.
Keypoints :
- Targeting South Korean users through Facebook, email, and Telegram.
- Kimsuky group identified as the threat actor behind the attacks.
- Disguising malicious files as volunteer activities for North Korean defectors.
- Use of Korean-specific compressed files to evade security detection.
- EDR-based threat hunting and triage contribute to visibility in security.
MITRE Techniques :
- Phishing (T1566) – Utilized Facebook and email to lure victims into downloading malicious files.
- Command and Control (T1071) – Communicated with compromised systems using HTTP requests to a C2 server.
- Execution (T1203) – Executed malicious scripts through the use of JSE files.
- Credential Dumping (T1003) – Collected sensitive information from compromised devices.
- Data Encrypted for Impact (T1486) – Used encryption techniques to secure stolen data before transmission.
Indicator of Compromise :
- [domain] afcafe.kro[.]kr
- [domain] woana.n-e[.]kr
- [file hash] 2f6fe22be1ed2a6ba42689747c9e18a0
- [file hash] 5a223c70b65c4d74fea98ba39bf5d127
- [file hash] 7a0c0a4c550a95809e93ab7e6bdcc290
- Check the article for all found IoCs
[hiddencontent]<span id=”hscoswrapperpostbody” class=”hscoswrapper hscoswrappermetafield hscoswrappertyperichtext” data-hs-cos-general-type=”metafield” data-hs-cos-type=”richtext” readability=”76.409959467284″>
◈ Executive Summary
- Utilizing a stealth infiltration strategy through three channels: Facebook, email, and Telegram.
- Dressing the activities as North Korean defectors’ volunteer work to lure into conversations and deliver malicious files.
- Confirmation of links to the Kimsuky state-sponsored hacking organization targeting national defense and pro-North Korean activist groups.
- Specialized in evading security pattern detection with Korean-specific compressed files and encoded malicious scripts.
- EDR-based threat hunting and triage (Triage) contribute to enhancing visibility.
1. Overview
○ Genians Security Center (GSC) has detected intelligent persistent threat (APT) attacks targeting Facebook, email, and Telegram users in South Korea from March to April 2025.
○ The threat actor has been found to explore reconnaissance and targets using two Facebook accounts.
○ According to joint investigations by Genians’ threat analysis researchers, the Kimsuky group has been identified behind the attack. They are widely recognized as a state-sponsored hacking organization linked to North Korea, and this case has been revealed as the ‘AppleSeed’ campaign.
○ For reference, AppleSeed was first introduced in two VB conferences held in October 2019 and 2021 by principal author Kim Jae-ki and two others in the sessions titled “Kimsuky group: tracking the king of spear-phishing” and “Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?”.
○ According to publicly available presentations, the Program Database (PDB) path of the malicious files developed by the Kimsuky group contained the related string.
○ In addition, AhnLab ASEC extensively documented the Apple Seed in their attack report titled “Operation Light Shell” in November 2021.
2. Background
○ The threat level of the Kimsuky group in Korea remains extremely high. The main three attack tools they use include the following. Some aliases are also used based on certain variants.
- AppleSeed
- BabyShark (RandomQuery)
- FlowerPower (GoldDragon)
○ In the past, AppleSeed types have often been reported using executable file extensions (EXE, PIF, etc.). In particular, attacks using script types (JSE, WSF, JS, etc.) happen frequently, featuring calls to Base64 encoded malicious DLL libraries.
○ Meanwhile, attachments used in spear phishing attacks are frequently observed with EGG ALZIP format. Threat actors sometimes recommend the use of specific decompression programs via email. This is a strategy to circumvent signature detection of security products installed on email and devices while enticing victims to open malicious files in a PC environment rather than on smartphones.
○ The PDB paths containing the AppleSeed string are as follows.
| No | Bit | PDB Path |
| 1 | 32 | F:PCManagerUtopiav0.1binAppleSeed.pdb |
| 64 | F:PCManagerUtopiav0.1binAppleSeed64.pdb | |
| 2 | 32 | E:worksutopiaUtopia_v0.2binAppleSeed.pdb |
| 64 | E:worksutopiaUtopia_v0.2binAppleSeed64.pdb |
[Table 1] AppleSeed malicious file PDB path information
○ The AppleSeed case of path ‘Utopiav0.1′ was created in May 2019 based on the DLL build date. For the AppleSeed type with the ‘Utopiav0.2′ path, the build date ranges from August 2019 to January 2020.
[Figure 2-1] AppleSeed PDB path screen
○ The malicious file of this threat actor mainly targets the defense industry and defense field. During the COVID-19 pandemic, they also targeted vaccine manufacturing companies. Additionally, attempts to steal information about virtual asset exchanges such as Bitcoin have been ongoing.
○ Genians threat analysts discovered the latest AppleSeed attack attempt that lasted over two months starting in March 2025 and conducted in-depth investigations.
○ This report analyzes the most recent case of the AppleSeed attack, utilizing three approaches for execution. The aim is to provide insights for preventing similar security threats through detailed analysis content.
- Telegram
3. Triple Combo Threat Analysis
3-1. Facebook-based attack case
○ First, this is an attack case that approached based on Facebook. The threat actors sent friend requests and requested conversations through the ‘Transitional Justice Mission’ account to many individuals involved in North Korean issues.
[Figure 3-1] Facebook messenger conversation attempt screen
○ The threat actor cleverly approaches the target by introducing themselves as a pastor or researcher from a specific church through the target’s Facebook messenger.
○ After that, they share a specific document to arouse interest and get the target to receive a malicious file.
○ The malicious file is delivered in a password-protected format using EGG compression.
[Figure 3-2] Facebook messenger used to deliver malicious file
○ The threat actor also utilized another Facebook account in their attack. Based on owner information, they introduce themselves as someone from the Air Force Academy.
○ At the point when actual threat activity was observed, the profile of that Facebook account had a photo presumed to be of a Korean male, which was later removed.
[Figure 3-3] Screen accessing as a North Korean defector volunteer inquiry
○ At this time, they attempted to approach the target using deceptive messages about North Korean defector volunteer activities. They directly deliver malicious files via Facebook messenger or choose another method to deliver the malicious file through multiple conversations.
3-2. Email-based attack case
○ The threat actor also attempts additional access through the email address of the target learned from the Facebook messenger conversation.
○ They ask for the email address through 1:1 conversations and employ strategies to lure the target into accessing malicious files.
[Figure 3-4] Screen accessing via email
3-3. Telegram-based access case
○ The malicious file actually used in the attack was similarly analyzed, and they consistently deceived recipients with the theme of “volunteer activity for North Korean defectors.”
[Figure 3-6] Multistage access case comparison
○ Investigating the flow of attacks on specific targets, threat behavior initially attempts access through Facebook and email.
○ If they know the target’s smartphone number, they send messages via Telegram. Of course, other online messengers might also be used. In this way, the threat actor demonstrates proactive attack behavior. It is essential to keep in mind that the tactics targeting North Korean defectors are diversifying.
[Figure 3-7] Attack flowchart
○ Observing the attack flow up to Telegram, it seems likely that they initially hacked a specific owner’s device. Then, while monitoring the victim, they can steal information about the SNS or email accounts they normally use.
○ They hijack Facebook permissions to disguise themselves as if they were the original owner. Since it is a Facebook account that has been registered a long time ago, it is likely that suspicions from the surrounding environment are low. Threat activities exploiting online friendships are hard to expose, especially considering that the one-on-one conversation method via messenger is carried out discreetly, making it necessary to exercise particular caution.
○ Any URLs or files received suddenly should always be anticipated to contain a threat element. Maintaining security habits of skepticism and caution is very important.
○ Keeping in mind that, as in this case, the threat actor mobilizes various tactics for attacks involving Facebook, email, and Telegram.
4. Malware Analysis
4-1. Analysis of 탈북민지원봉사활동.jse file
○ JSE files have a .jse extension and are encrypted JScript files executed in Microsoft’s Windows Script Host (WSH).
○ The ‘탈북민지원봉사활동.jse’ file, when executed, creates two files. One is a normal PDF document meant to deceive the user, while the other is a DLL file that carries out the actual malicious actions.
[Figure 4-1] Flow of ‘탈북민지원봉사활동.jse’
○ Inside the script, the variable xF6hKgM2MlR holds Base64 encoded PDF file data, and the variable guC1USOkKiW contains the name of the file to be created after decoding, which is “탈북민지원봉사활동.pdf.”
○ Using the Microsoft.XMLDOM object (xmlDom), the value of xF6hKgM2MlR is decoded, saved to the path ‘C:ProgramData탈북민지원봉사활동.pdf,’ and then automatically executed using the WScript.Shell object (shell).
○ As a result, the user will perceive they are viewing an actual document, which serves as a decoy for concealing malicious behavior.
<img src=”https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%BC%EC%A0%95.png?width=734&height=314&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%BC%EC%A0%95.png” width=”734″ height=”314″ loading=”lazy” alt=”Decoy file execution process” srcset=”https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=367&height=157&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png 367w, https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=734&height=314&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png 734w, https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=1101&height=471&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png 1101w, https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=1468&height=628&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png 1468w, https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=1835&height=785&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png 1835w, https://www.genians.co.kr/hs-fs/hubfs/%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89%20%EA%B3%EC%A0%95.png?width=2202&height=942&name=%EB%AF%B8%EB%81%BC(Decoy)%20%ED%8C%8C%EC%9D%BC%20%EC%8B%A4%ED%96%89