{ "type": "URL", "indicator": "https://www.yespp.co.kr/common/include/code/out.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.yespp.co.kr/common/include/code/out.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4184708635, "indicator": "https://www.yespp.co.kr/common/include/code/out.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a05af0979e3cc1214a50d4e", "name": "Disclosing new PebbleDash-based tools", "description": "Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...", "modified": "2026-05-14T18:12:49.059000", "created": "2026-05-14T11:16:25.351000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386494, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a06a56c4de4473292916686", "name": "Disclosing new PebbleDash-based tools", "description": "", "modified": "2026-05-15T04:47:40.282000", "created": "2026-05-15T04:47:40.282000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "6a05af0979e3cc1214a50d4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0688489547846b3466f6a8", "name": "IOC - Kimsuky targets organizations with PebbleDash-based tools", "description": "Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns.", "modified": "2026-05-15T02:43:20.292000", "created": "2026-05-15T02:43:20.292000", "tags": [ "memload", "appleseed", "dropper", "happydoor", "jse dropper", "pidoc dropper", "vscode tunnel", "domains", "hellodoor https", "jscript" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 3, "domain": 1, "hostname": 14 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69731fdee15e5e50297f2ed3", "name": "Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access", "description": "Recent analysis has revealed a targeted cyber campaign linked to Democratic People's Republic of Korea (DPRK) activity, focusing on individuals in South Korea. The attackers employ Javascript Encoded (JSE) scripts and government-themed documents as decoys to facilitate the deployment of a Visual Studio Code (VS Code) tunnel, establishing remote access to victim machines.\n\nThe malicious component in the campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document. This file is most likely disseminated through spear-phishing emails aimed at specific targets. Upon execution, the JSE file, through Windows Script Host, parses multiple Base64-encoded elements to perform its functions. The deceptive HWPX document purports to be related to student selection for a master's program set for 2026, mimicking official communications from the Ministry of Personnel Management, a legitimate government body in South Korea.", "modified": "2026-02-22T07:03:34.559000", "created": "2026-01-23T07:14:38.428000", "tags": [ "cnapp", "darktrace", "cloud", "detection", "cloud security", "cloud native", "platforms", "runtime", "cloud brings", "runtime defence", "campaigns medusa", "nathaniel bill", "contagious interview", "darktrace identifies", "tara gould" ], "references": [ "https://www.darktrace.com/blog/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "Sweden", "Spain", "Portugal", "Nigeria", "Kenya", "Qatar", "Chile", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [ "Government", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "https://www.darktrace.com/blog/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access", "IOCs.csv" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [ "Hellodoor", "Httptroy", "Zichatbot", "Valleyrat", "Memload", "Httpspy", "Coolclient", "Babyshark - s0414", "Appleseed - s0622", "Httpmalice", "Happydoor", "Randomquery", "Tutrat", "Troll stealer", "Xenorat", "Xrat" ], "industries": [ "Manufacturing", "Defense", "Energy", "Healthcare", "Government" ], "unique_indicators": 50 }, "other": { "adversary": [ "Kimsuky", "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager" ], "malware_families": [ "Hellodoor", "Httptroy", "Zichatbot", "Valleyrat", "Memload", "Httpspy", "Coolclient", "Babyshark - s0414", "Appleseed - s0622", "Httpmalice", "Happydoor", "Randomquery", "Tutrat", "Troll stealer", "Xenorat", "Xrat" ], "industries": [ "Manufacturing", "Defense", "Energy", "Healthcare", "Financial", "Government" ], "unique_indicators": 2034 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/yespp.co.kr", "whois": "http://whois.domaintools.com/yespp.co.kr", "domain": "yespp.co.kr", "hostname": "www.yespp.co.kr" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a05af0979e3cc1214a50d4e", "name": "Disclosing new PebbleDash-based tools", "description": "Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...", "modified": "2026-05-14T18:12:49.059000", "created": "2026-05-14T11:16:25.351000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386494, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a06a56c4de4473292916686", "name": "Disclosing new PebbleDash-based tools", "description": "", "modified": "2026-05-15T04:47:40.282000", "created": "2026-05-15T04:47:40.282000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "6a05af0979e3cc1214a50d4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0688489547846b3466f6a8", "name": "IOC - Kimsuky targets organizations with PebbleDash-based tools", "description": "Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns.", "modified": "2026-05-15T02:43:20.292000", "created": "2026-05-15T02:43:20.292000", "tags": [ "memload", "appleseed", "dropper", "happydoor", "jse dropper", "pidoc dropper", "vscode tunnel", "domains", "hellodoor https", "jscript" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 3, "domain": 1, "hostname": 14 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69731fdee15e5e50297f2ed3", "name": "Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access", "description": "Recent analysis has revealed a targeted cyber campaign linked to Democratic People's Republic of Korea (DPRK) activity, focusing on individuals in South Korea. The attackers employ Javascript Encoded (JSE) scripts and government-themed documents as decoys to facilitate the deployment of a Visual Studio Code (VS Code) tunnel, establishing remote access to victim machines.\n\nThe malicious component in the campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document. This file is most likely disseminated through spear-phishing emails aimed at specific targets. Upon execution, the JSE file, through Windows Script Host, parses multiple Base64-encoded elements to perform its functions. The deceptive HWPX document purports to be related to student selection for a master's program set for 2026, mimicking official communications from the Ministry of Personnel Management, a legitimate government body in South Korea.", "modified": "2026-02-22T07:03:34.559000", "created": "2026-01-23T07:14:38.428000", "tags": [ "cnapp", "darktrace", "cloud", "detection", "cloud security", "cloud native", "platforms", "runtime", "cloud brings", "runtime defence", "campaigns medusa", "nathaniel bill", "contagious interview", "darktrace identifies", "tara gould" ], "references": [ "https://www.darktrace.com/blog/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "Sweden", "Spain", "Portugal", "Nigeria", "Kenya", "Qatar", "Chile", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [ "Government", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.yespp.co.kr/common/include/code/out.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.yespp.co.kr/common/include/code/out.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212872.5313013 }