SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)

June 11, 2024, 10:31 a.m.


This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but later switched to using a downloader named SmallTiger. The final payload in the earlier attacks was DurianBeacon, a backdoor malware previously used by the Andariel group. The SmallTiger downloader was employed to download additional payloads, including information stealers and credential harvesters like Mimikatz and WebBrowserPassView. The attacks began in November 2023 and were ongoing as of May 2024, with the threat actor leveraging various distribution methods such as software updaters, mshta, and even GitHub.


Published Created Modified
June 11, 2024, 10:04 a.m. June 11, 2024, 10:04 a.m. June 11, 2024, 10:31 a.m.


Attack Patterns

Additional informations