AppleSeed

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Appleseed is a sophisticated malware, believed to be affiliated with North Korean nation-state actors, that has been used in various cyber attacks. The malware uses a two-layer command structure to communicate with its command and control server, making it particularly effective at seizing control of compromised machines. It has been linked to other notable malwares such as BabyShark, and is typically delivered through spear-phishing attacks. Its deployment has been observed in several campaigns against South Korea's government, where the attackers reused infrastructure previously used to host phishing websites for AppleSeed backdoor Command & Control communications. The AppleSeed backdoor was first discovered in October 2022. In one of its most notorious uses, it was developed for an attack on behalf of charity Appleseed México. Lawyers in the Mexico City office filed an amparo, a request for constitutional protection, with the Mexican Supreme Court, arguing that Appleseed México represented the collective rights of individuals affected by the rule. This incident highlights the malware's potential for misuse and the significant threat it poses to organizations and governments. The technical execution of the AppleSeed payload involves the opening of a decoy PDF file by calling Wscript.Shell.Run, followed by the execution of the AppleSeed payload through PowerShell by calling regsvr32.exe. The content of the decoy PDF file and the AppleSeed payload are both encoded in Base64 format, with the latter being encoded twice. The Nocturnus team, responsible for tracking down the malware's infrastructure, commended individual Paul Hughes for his role in uncovering these details.
What's your take? (Question 1 of 2)
23e18062-62ac-421e-8306-864cfe4406cb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the AppleSeed Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
MITRE
a year ago
Back to the Future: Inside the Kimsuky KGH Spyware Suite
CSO Online
a year ago
Attacks on industrial infrastructure on the rise, defenses struggle to keep up
CERT-EU
5 months ago
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks – GIXtools
Securelist
20 days ago
APT trends report Q1 2024 – Securelist
Checkpoint
5 months ago
1st January – Threat Intelligence Report - Check Point Research
CERT-EU
6 months ago
Practice of law: best examples in legal work
CERT-EU
7 months ago
iOS 17.1 includes a software fix for the recent iPhone OLED burn-in issue
CERT-EU
7 months ago
Delete-your-data laws have a perennial problem: Data brokers who fail to register