Threat Research

Kimsuky Group Using Weaponized LNK File to Deploy AppleSeed Malware

Securonix

Cybersecurity researchers report that the Kimsuky threat group—backed by North Korea—uses weaponized LNK shortcut files to deploy AppleSeed and AlphaSeed malware, often with JavaScript or Excel macros for initial execution. The group persists in using AppleSeed variants, uses C2 over ChromeDP, and has shifted from RDP to Chrome Remote Desktop for control, while also employing HVNC/TightVNC backdoors and Meterpreter as backdoors; together these elements illustrate a broad, multi-tool intrusions approach. #Kimsuky #AppleSeed #AlphaSeed #TinyNuke #HVNC #ChromeDP

Keypoints

  • Kimsuky is identified as a North Korea–backed group active since 2013 that uses weaponized LNK files to deploy malware.
  • The group conducts spear-phishing campaigns across multiple sectors, including defense, industry, media, diplomacy, organizations, and academia.
  • AppleSeed and AlphaSeed are core malware families, with AppleSeed often distributed via a JavaScript dropper and sometimes paired with AlphaSeed for operations.
  • The operators have switched from RDP-based control to Chrome Remote Desktop for better control with minimal changes to methods.
  • The toolkit includes various backdoors and remote-access tools (Meterpreter, TinyNuke HVNC, TightVNC, HVNC) used to maintain access and control.
  • Command-and-control communications are mentioned via ChromeDP, indicating web-based C2 channels.
  • The report provides a long list of IOCs (MD5s, C2 URLs, and IPs) and practical recommendations for users to reduce risk.

MITRE Techniques

  • [T1204.002] User Execution – Malicious File – The LNK shortcut is designed to be clicked to execute malware. Bracket quote: “…these files often contain malicious code that can be executed when the user clicks on the shortcut…”
  • [T1566.001] Phishing: Spearphishing Attachment – The group specializes in spear phishing against Defense, Industries, Media, Diplomacy, Organizations, and Academia.
  • [T1059.007] JavaScript – The malware delivery uses JavaScript-based dropper to facilitate initial access and payload installation.
  • [T1059.005] Visual Basic – Office Macros/Excel macros used to deploy or enable payloads.
  • [T1071.001] Web Protocols – C2 communications via ChromeDP (Chrome DevTools Protocol) for command-and-control.
  • [T1021.001] Remote Desktop Protocol – The actors historically used RDP and later moved to Chrome Remote Desktop for control.
  • [T1021.005] VNC – Use of TightVNC/HVNC variants for remote access and control.
  • [T1105] Ingress Tool Transfer – Meterpreter backdoors and other tools imply downloading/landing backdoors as part of the intrusion chain.

Indicators of Compromise

  • [MD5] AppleSeed – db5fc5cf50f8c1e19141eb238e57658c, 6a968fd1608bca7255c329a0701dbf58 (AppleSeed in %APPDATA%AbodeServiceAdobeService.dll)
  • [MD5] AppleSeed Dropper – 5d3ab2baacf2ad986ed7542eeabf3dab, d4ad31f316dc4ca0e7170109174827cf (AppleSeed Dropper)
  • [MD5] AlphaSeed – 0cce02d2d835a996ad5dfc0406b44b01, d94c6323c3f77965451c0b7ebeb32e13 (AlphaSeed in %USERPROFILE%.edgeedgemgmt.dat)
  • [MD5] Meterpreter – 232046aff635f1a5d81e415ef64649b7, 58fafabd6ae8360c9d604cd314a27159 (Meterpreter in system32/settings/registry artifacts)
  • [MD5] TinyNuke HVNC – e34669d56a13d607da1f76618eb4b27e (TinyNuke HVNC)
  • [MD5] TightVNC – ee76638004c68cfc34ff1fea2a7565a7 (TightVNC)
  • [URL] C2 domains – hxxp://bitburny.kro[.]kr/aha/, hxxp://bitthum.kro[.]kr/hu/ (AppleSeed C2)
  • [URL] Additional AppleSeed domains/addresses – hxxp://doma2.o-r[.]kr//, hxxp://my.topton.r-e[.]kr/address/
  • [IP] Meterpreter = 104.168.145[.]83:993, 159.100.6[.]137:993
  • [IP] TinyNuke/TightVNC – 45.114.129[.]138:33890 (TinyNuke HVNC) and 45.114.129[.]138:5500 (TightVNC)

Source: https://cybersecuritynews.com/kimsuky-appleseed-malware/

Read more: https://cybersecuritynews.com/kimsuky-appleseed-malware/