APT Group Profiles - Larva-24005

April 22, 2025, 10:49 p.m.

Description

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has been targeting South Korea's software, energy, and financial industries since October 2023, with attacks extending to multiple countries worldwide. Their methods include exploiting the BlueKeep vulnerability (CVE-2019-0708) and using phishing emails. The attackers employ various tools such as RDP scanners, droppers, and keyloggers in their multi-stage attack process.

External References

https://asec.ahnlab.com/en/87554
https://otx.alienvault.com/pulse/6807c698b42f069fc7334d48
Tags
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger

Date

  • Created: April 22, 2025, 4:40 p.m.
  • Published: April 22, 2025, 4:40 p.m.
  • Modified: April 22, 2025, 10:49 p.m.

Attack Patterns

  • KimaLogger
  • MySpy
  • RandomQuery
  • Larva-24005

Additional Informations

  • Software
  • Energy
  • Finance
  • South Africa
  • Singapore
  • Belgium
  • China
  • Netherlands
  • Poland
  • Thailand
  • Canada
  • Japan
  • Germany
  • Mexico
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America