APT

Larva-25010 – Analysis on the APT Down Threat Actor’s PC

  • Oct 02 2025
Larva-25010 – Analysis on the APT Down Threat Actor’s PC

This report covers the seven posts on the breach analysis of APT Down, which were published in “Threat Notes” of AhnLab TIP after the release of the “APT Down: the North Korea Files” report, along with additional analysis.

 

  • Post on Aug 12, 2025, “APT DOWN – Analysis of Korean Organization Breach Status”
  • Post on Aug 13, 2025, “APT DOWN – Analysis of Korean Organization Breach Status (Part 2)”
  • Post on Aug 20, 2025, “APT DOWN – Analysis of Korean Organization Breach Status (Part 3): Government Agency Public Passwords (Presumed) Security Alert”
  • Post on Aug 25, 2025 “APT DOWN – High Possibility That Attacker Does Not Speak Korean and Is Chinese”
  • Post on Aug 27, 2025, “APT DOWN – Reconnaissance Activities Targeting Taiwan and Japan”
  • Post on Aug 29, 2025, “APT DOWN – APPM Product Leak and Data Decryption Attempt”
  • Post on Sep 8, 2025, “APT DOWN – Phishing Attacks Impersonating Naver and Kakao Login Pages”

 

The “APT Down: the North Korea Files” report and its related materials were published during the Defcon 33, a global hacking conference held in August. The report was included in the 40th-anniversary issue of Phrack Magazine, a hacking and security magazine.

 

The report’s authors, saber and cyb0rg, shared the analysis results of the data dump leaked from the APT threat actor’s workstation. Through the data, they identified traces of ongoing attacks against major South Korean government agencies, military institutions, and telecom companies. They claimed that the analysis subjects were the Kimsuky threat actor group, which is affiliated with North Korea.

 

AhnLab SEcurity intelligence Center (ASEC) conducted additional analysis based on the report and data published by the authors, and obtained more detailed facts compared to the published data.
 

Category Description
Threat Actor
  • Threat actor proficient in Chinese
    • Collaborated with the Kimsuky threat actor group
    • Does not speak Korean and uses Chinese as their primary language
  • Part of a corporate organization
    • Works from 9:00 to 18:00 on weekdays
    • No activity history on weekends and public holidays
Key Attack Details
  • Attacked South Korea, Japan, and Taiwan region
    • South Korea: Identified phishing attacks
    • Japan: Scanned for attack targets with vulnerability in Sophos products
    • Taiwan: Scanned for attack targets with vulnerability in JBoss (Wildfly) and Palo Alto products
Tools Used by Threat Actor
  • Ivanti CVE-2025-0282 Exploit
  • Rootkit (Syslogk)
  • Backdoor (TinyShell)
  • CobaltStrike Beacon
  • Phishing Infrastructure
Case TAG

#APT Down #Larva-25010 #APT41 #UNC3886 #UNC5221 #Certificate Leak #Data Breach #Ivanti Exploit #syslogk #Tinyshell #Phishing #CobaltStrike

Table 1. Summary of analysis

 

* Please refer to the attachment for more details.

MD5

00dfce9ad207f77397dbbb6791d64a9e
1d475427100ad95edca070d75fa3b267
2c0fbdb97439e079bbd8919c39598508
36d2be6eb548aee37852f7fbf38dcf30
3b76316810d61e114015af617c5d0408
FQDN

websecuritynotices[.]com
IP

104[.]167[.]16[.]97

Tags:
Previous Post

Next Post