AppleSeed

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Appleseed is a sophisticated malware, believed to be affiliated with North Korean nation-state actors, that has been used in various cyber attacks. The malware uses a two-layer command structure to communicate with its command and control server, making it particularly effective at seizing control of compromised machines. It has been linked to other notable malwares such as BabyShark, and is typically delivered through spear-phishing attacks. Its deployment has been observed in several campaigns against South Korea's government, where the attackers reused infrastructure previously used to host phishing websites for AppleSeed backdoor Command & Control communications. The AppleSeed backdoor was first discovered in October 2022. In one of its most notorious uses, it was developed for an attack on behalf of charity Appleseed México. Lawyers in the Mexico City office filed an amparo, a request for constitutional protection, with the Mexican Supreme Court, arguing that Appleseed México represented the collective rights of individuals affected by the rule. This incident highlights the malware's potential for misuse and the significant threat it poses to organizations and governments. The technical execution of the AppleSeed payload involves the opening of a decoy PDF file by calling Wscript.Shell.Run, followed by the execution of the AppleSeed payload through PowerShell by calling regsvr32.exe. The content of the decoy PDF file and the AppleSeed payload are both encoded in Base64 format, with the latter being encoded twice. The Nocturnus team, responsible for tracking down the malware's infrastructure, commended individual Paul Hughes for his role in uncovering these details.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
BabyShark	1	BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p
Tinynuke	1	TinyNuke is a type of malware, specifically a banking Trojan, used to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your da

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Malware

Backdoor

Decoy

Windows

Android

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Dtrack	Unspecified	1	DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Kimsuky	Unspecified	1	Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the AppleSeed Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securelist	3 months ago	APT trends report Q1 2024 – Securelist
Checkpoint	7 months ago	1st January – Threat Intelligence Report - Check Point Research
CERT-EU	7 months ago	Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks – GIXtools
CERT-EU	7 months ago	Practice of law: best examples in legal work
CERT-EU	9 months ago	Delete-your-data laws have a perennial problem: Data brokers who fail to register
CERT-EU	9 months ago	iOS 17.1 includes a software fix for the recent iPhone OLED burn-in issue
MITRE	a year ago	Back to the Future: Inside the Kimsuky KGH Spyware Suite
MITRE	a year ago	Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CSO Online	a year ago	Attacks on industrial infrastructure on the rise, defenses struggle to keep up