Kimsuky's Five-Stage GrimResource Loader: When an MMC File Becomes a Shellcode Injector
Contents
Kimsuky's Five-Stage GrimResource Loader: When an MMC File Becomes a Shellcode Injector
TL;DR: A Kimsuky (APT43/Velvet Chollima) operation was caught deploying a five-stage loader chain that begins with a single .msc
file -- a Microsoft Management Console configuration file -- and ends with 1MB of x86 shellcode injected directly into memory. The chain uses the GrimResource technique for initial execution, then cascades through JScript decryption, .NET BinaryFormatter deserialization (SortedSet gadget chain), XAML-based shellcode injection via XamlReader.Parse()
, and finally native code execution via Marshal.GetDelegateForFunctionPointer()
. The C2 infrastructure spans 14 IP addresses across UCloud HK (AS135377) and DAOU Technology (AS45996) in Seoul, Korea, using three dynamic DNS providers (dynv6.net, dns.army, v6.navy) for domain rotation. Every C2 server runs the same Apache 2.4.58 / PHP 8.0.30 / OpenSSL 3.1.3 stack -- a deployment fingerprint so uniform it could only come from automated provisioning.
A .msc File Walks Into a Network
When most security teams think about dangerous …
TL;DR: A Kimsuky (APT43/Velvet Chollima) operation was caught deploying a five-stage loader chain that begins with a single .msc
file -- a Microsoft Management Console configuration file -- and ends with 1MB of x86 shellcode injected directly into memory. The chain uses the GrimResource technique for initial execution, then cascades through JScript decryption, .NET BinaryFormatter deserialization (SortedSet gadget chain), XAML-based shellcode injection via XamlReader.Parse()
, and finally native code execution via Marshal.GetDelegateForFunctionPointer()
. The C2 infrastructure spans 14 IP addresses across UCloud HK (AS135377) and DAOU Technology (AS45996) in Seoul, Korea, using three dynamic DNS providers (dynv6.net, dns.army, v6.navy) for domain rotation. Every C2 server runs the same Apache 2.4.58 / PHP 8.0.30 / OpenSSL 3.1.3 stack -- a deployment fingerprint so uniform it could only come from automated provisioning.
A .msc File Walks Into a Network
When most security teams think about dangerous …
IoC
http://167.88.166.204
http://mhjjh.dynv6.net
http://3tg8i.dns.army
http://152.32.138.146
https://mhjjh.dynv6.net/
http://a7f3q.v6.navy
http://152.32.243.178
https://ndocs0link.dns.army/?naps
http://link-nid-log.oc9bk.dynv6.net/
http://link-nid-log.oq7n2.dynv6.net/
https://3tg8i.dns.army/
https://elecviews85.dynv6.net/?naps
http://27.102.137.140
http://elecviews85.dynv6.net
https://a7f3q.v6.navy/
http://118.194.248.246
http://link-nid-log.oq7n2.dynv6.net
http://link-nid-log.oc9bk.dynv6.net
http://118.193.69.19
http://daou.co.kr
http://27.102.138.125
http://118.194.249.109
http://118.194.248.134
http://101.36.114.231
http://118.194.248.183
http://152.32.139.149
http://101.36.114.66
http://ucloud.cn
http://152.32.243.215
http://ndocs0link.dns.army
118.194.248.183
27.102.137.140
167.88.166.204
101.36.114.231
118.194.248.246
118.194.249.109
101.36.114.66
118.193.69.19
152.32.139.149
152.32.243.215
152.32.243.178
27.102.138.125
152.32.138.146
118.194.248.134
[email protected]
[email protected]
f239e3fedc4926ff3cf58f95bacff9d8f11289e58036ed507ab3f435dce1b2b1
6db53d66629f95a2d830a4f56e8c69f2
66126fa42accfb183f72e25b20750b97
253d232e1485e7e60ff3380999412c773d0a9a14
95f4954ad79fa972bfd4fe217608ed5216c674e8ae6662cb8ffb31dbed50ec63
http://mhjjh.dynv6.net
http://3tg8i.dns.army
http://152.32.138.146
https://mhjjh.dynv6.net/
http://a7f3q.v6.navy
http://152.32.243.178
https://ndocs0link.dns.army/?naps
http://link-nid-log.oc9bk.dynv6.net/
http://link-nid-log.oq7n2.dynv6.net/
https://3tg8i.dns.army/
https://elecviews85.dynv6.net/?naps
http://27.102.137.140
http://elecviews85.dynv6.net
https://a7f3q.v6.navy/
http://118.194.248.246
http://link-nid-log.oq7n2.dynv6.net
http://link-nid-log.oc9bk.dynv6.net
http://118.193.69.19
http://daou.co.kr
http://27.102.138.125
http://118.194.249.109
http://118.194.248.134
http://101.36.114.231
http://118.194.248.183
http://152.32.139.149
http://101.36.114.66
http://ucloud.cn
http://152.32.243.215
http://ndocs0link.dns.army
118.194.248.183
27.102.137.140
167.88.166.204
101.36.114.231
118.194.248.246
118.194.249.109
101.36.114.66
118.193.69.19
152.32.139.149
152.32.243.215
152.32.243.178
27.102.138.125
152.32.138.146
118.194.248.134
[email protected]
[email protected]
f239e3fedc4926ff3cf58f95bacff9d8f11289e58036ed507ab3f435dce1b2b1
6db53d66629f95a2d830a4f56e8c69f2
66126fa42accfb183f72e25b20750b97
253d232e1485e7e60ff3380999412c773d0a9a14
95f4954ad79fa972bfd4fe217608ed5216c674e8ae6662cb8ffb31dbed50ec63