Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate - Malware Signed with Nexaweb Certificate
May 23, 2025, 10:05 p.m.
Description
AhnLab Security Intelligence Center discovered malware signed with Nexaweb Inc.'s certificate, linked to the Kimsuky group's activities. The malware, tracked as Larva-25004, was found in two files signed on May 24 and 28, 2024. When executed, it displays a PDF file related to employment as bait, likely targeting individuals interested in defense company jobs. The certificate's authenticity is still under investigation. The malware's characteristics match those of files signed with a Korean company's certificate, previously reported in connection with Kimsuky. This incident highlights the ongoing threat of certificate exploitation by sophisticated threat actors.
Tags
Date
- Created: May 23, 2025, 8:17 p.m.
- Published: May 23, 2025, 8:17 p.m.
- Modified: May 23, 2025, 10:05 p.m.
Indicators
- cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
- 5b3cc9cced1ef0cb0bba5549cc2ac09c49ae10554d2409ea16bc5e118d278c15
- 000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7
Additional Informations
- Defense