{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/appleseed/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Kimsuky","Black Banshee","Velvet Chollima","Emerald Sleet","Thallium"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VSCode","Cloudflare Quick Tunnels","GitHub authentication"],"_cs_severities":["high"],"_cs_tags":["kimsuky","apt","spear-phishing","malware","pebbledash","appleseed"],"_cs_type":"threat","_cs_vendors":["Microsoft","GitHub","Cloudflare"],"content_html":"\u003cp\u003eKimsuky, also known as APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail, is a prolific Korean-speaking threat actor that has been active since at least 2013. Kaspersky researchers have observed tactical shifts in the group\u0026rsquo;s recent campaigns, including the use of new malware variants based on the PebbleDash platform and connections to the AppleSeed malware cluster. Kimsuky has been leveraging legitimate tools, such as VSCode Tunneling and Cloudflare Quick Tunnels, as well as the open-source DWAgent remote monitoring and management tool. These activities primarily target South Korean entities in both the public and private sectors, with PebbleDash attacks also observed in Brazil and Germany. The group uses spear-phishing emails and messenger contacts to deliver malicious attachments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eKimsuky initiates the attack by sending spear-phishing emails or contacting targets via messengers.\u003c/li\u003e\n\u003cli\u003eThe initial contact leads to the delivery of a malicious attachment disguised as a document, such as a compressed file.\u003c/li\u003e\n\u003cli\u003eThe attachments contain droppers in formats like .JSE, .EXE, .PIF, or .SCR, with filenames designed to entice the recipient to open them.\u003c/li\u003e\n\u003cli\u003eJSE droppers decode Base64-encoded blobs, including a benign lure file and malicious code, storing them in locations like C:\\ProgramData with random filenames.\u003c/li\u003e\n\u003cli\u003eThe benign lure file is opened to deceive the user, while the malicious payload uses \u003ccode\u003epowershell.exe -windowstyle hidden certutil -decode [src path] [dst path]\u003c/code\u003e for further decoding.\u003c/li\u003e\n\u003cli\u003eThe final payload is executed via command-line instructions, such as \u003ccode\u003eregsvr32.exe /s [file path]\u003c/code\u003e or \u003ccode\u003erundll32.exe [file path] [export function]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReger Dropper (.SCR) and Pidoc Dropper (.PIF) decrypt their payloads using XOR operations before deploying files in directories like %temp% or C:\\ProgramData.\u003c/li\u003e\n\u003cli\u003ePost-exploitation, Kimsuky uses legitimate tools like Visual Studio Code (VSCode) and DWAgent for remote access and control, ultimately aiming to establish backdoors and steal information from the compromised systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eKimsuky primarily targets South Korean entities, including both public and private sectors. The PebbleDash cluster has also been observed targeting the medical, military, and defense industries worldwide, with compromises of Brazilian and South Korean defense organizations, as well as a German defense firm. A successful attack leads to the establishment of backdoors, data theft, and potential disruption of critical services. In 2024, the South Korean government released a security advisory regarding the AppleSeed cluster, demonstrating the significant impact of these attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e from unusual locations like \u003ccode\u003e%temp%\u003c/code\u003e or \u003ccode\u003eC:\\ProgramData\u003c/code\u003e (see Attack Chain step 6) to detect potential malware execution. Deploy the Sigma rule \u0026ldquo;Detect Suspicious Regsvr32/Rundll32 Execution from Unusual Locations\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement detections for JSE droppers decoding and executing payloads via \u003ccode\u003epowershell.exe\u003c/code\u003e and \u003ccode\u003ecertutil.exe\u003c/code\u003e. Deploy the Sigma rule \u0026ldquo;Detect JSE Dropper with Certutil and Powershell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of legitimate tools such as VSCode or DWAgent from unexpected locations or with unusual command-line arguments, indicating potential post-exploitation activity (see Attack Chain step 8).\u003c/li\u003e\n\u003cli\u003eScan your environment for the MD5 hashes listed in the IOC table to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening attachments from untrusted sources and verify the legitimacy of files before opening them, especially those disguised as documents or application installers (see Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T11:07:51Z","date_published":"2026-05-14T11:07:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kimsuky-pebbledash/","summary":"Kimsuky, a North Korean APT group, is actively targeting organizations, primarily in South Korea, with evolving tactics and tools, leveraging spear-phishing emails and messenger contacts to deploy malware such as PebbleDash and AppleSeed for establishing backdoors and stealing information.","title":"Kimsuky Targets Organizations with Evolving PebbleDash-Based Tools","url":"https://feed.craftedsignal.io/briefs/2026-05-kimsuky-pebbledash/"}],"language":"en","title":"CraftedSignal Threat Feed — Appleseed","version":"https://jsonfeed.org/version/1.1"}