← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger
WHITE Kimsuky AlienVault 2026-04-13 Modified: 2026-04-13
47
IOCs
MEDIUM VOLUME
On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with "Million OK !!!!" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.
apt43korean targetingchm droppervbscript stagernaver phishingcredential harvestingdprkpowershell keylogger
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (47)
All IPv4 FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
IPv4 51.79.185.184 2026-04-13
FileHash-MD5 08815400eb034d0c760d031e735bd392 2026-04-13
FileHash-MD5 0ac44ad9cfbc58ed76415f7bc79239f9 2026-04-13
FileHash-MD5 4599ac1bbe483c73064df1353feafd01 2026-04-13
FileHash-MD5 6d03fd0b89fe997408b9e9e3d5ead602 2026-04-13
FileHash-MD5 6f90f6b96fe3a5b79c1935211f557a08 2026-04-13
FileHash-SHA1 51ab17a51cc000bbae89980082c57281c4c0b462 2026-04-13
FileHash-SHA1 66af61e3e376284f691d449d0042e8b2c1174278 2026-04-13
FileHash-SHA1 6aa51c23f0319a6b940072274adf47a0c29f27b6 2026-04-13
FileHash-SHA1 a76af8176da28fdab47f9a77d50eb0e89f2b8557 2026-04-13
FileHash-SHA1 f759ccb6886234c63a66abd6102c636a46d1eba8 2026-04-13
FileHash-SHA256 1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793 2026-04-13
FileHash-SHA256 7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b 2026-04-13
FileHash-SHA256 85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8 2026-04-13
FileHash-SHA256 a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922 2026-04-13
FileHash-SHA256 af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f 2026-04-13
FileHash-SHA256 d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b 2026-04-13
IPv4 118.194.249.109 2026-04-13
IPv4 130.94.29.111 2026-04-13
IPv4 162.255.119.150 2026-04-13
IPv4 27.102.137.150 2026-04-13
IPv4 27.102.137.38 2026-04-13
IPv4 27.102.138.45 2026-04-13
IPv4 38.60.220.135 2026-04-13
URL http://check.nid-log.com/api' 2026-04-13
URL http://check.nid-log.com/api/bootservice.php 2026-04-13
URL http://check.nid-log.com/api/bootservice.php?tag= 2026-04-13
URL http://check.nid-log.com/api/checkservice.php 2026-04-13
URL http://check.nid-log.com/api/finalservice.php 2026-04-13
URL http://noreplymail.space/BitJoker/bootservice.php 2026-04-13
YARA 22885ad517585b9f0c5bb9fdd785df00e7c0cfc0 2026-04-13
domain nid-log.com 2026-04-13
domain noreplymail.space 2026-04-13
domain uncork.biz 2026-04-13
domain withheldforprivacy.com 2026-04-13
hostname check.nid-log.com 2026-04-13
hostname chk.uncork.biz 2026-04-13
hostname miss-tax.dns.navy 2026-04-13
hostname nid-htl.duckdns.org 2026-04-13
hostname nid-navercwu.servecounterstrike.com 2026-04-13
hostname nid-naverfxc.servecounterstrike.com 2026-04-13
hostname nid-naverpep.servequake.com 2026-04-13
hostname nid-navertca.servehalflife.com 2026-04-13
hostname nid-tax.dns.army 2026-04-13
hostname pay-tax.dns.navy 2026-04-13
hostname tax-invoice.dns.army 2026-04-13
hostname verify.efine-log.kro.kr 2026-04-13
References (1)
↗ https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery