We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger
Contents
We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger
TL;DR
On April 11, 2026, researcher @smica83 submitted a CHM file (api_reference.chm
) to MalwareBazaar tagged #Kimsuky
. We picked it up and walked the infrastructure. The C2 server at check[.]nid-log[.]com
had directory listing enabled and was serving payloads to anyone who asked. We recovered the complete source code of all three attack stages before the actor can rotate:
- Stage 1 (6,338 bytes VBScript): Full system reconnaissance — OS, CPU, RAM, processes, AV products, directory listings of Desktop/Documents/Downloads — plus persistence via a scheduled task disguised as "Edge Updater"
- Stage 2 (449 bytes VBScript → PowerShell): Bridge script that downloads and
Invoke-Expression
s the keylogger - Stage 3 (6,234 bytes PowerShell): Complete keylogger with keystroke capture, clipboard monitoring, window tracking, and timed exfiltration using deliberately typo'd User-Agents (
Chremo
instead of Chrome,Edgo
instead of Edge)
The C2 health check at /pc/index.php
returns …
TL;DR
On April 11, 2026, researcher @smica83 submitted a CHM file (api_reference.chm
) to MalwareBazaar tagged #Kimsuky
. We picked it up and walked the infrastructure. The C2 server at check[.]nid-log[.]com
had directory listing enabled and was serving payloads to anyone who asked. We recovered the complete source code of all three attack stages before the actor can rotate:
- Stage 1 (6,338 bytes VBScript): Full system reconnaissance — OS, CPU, RAM, processes, AV products, directory listings of Desktop/Documents/Downloads — plus persistence via a scheduled task disguised as "Edge Updater"
- Stage 2 (449 bytes VBScript → PowerShell): Bridge script that downloads and
Invoke-Expression
s the keylogger - Stage 3 (6,234 bytes PowerShell): Complete keylogger with keystroke capture, clipboard monitoring, window tracking, and timed exfiltration using deliberately typo'd User-Agents (
Chremo
instead of Chrome,Edgo
instead of Edge)
The C2 health check at /pc/index.php
returns …
IoC
http://chk.uncork.biz
http://uncork.biz
http://51.79.185.184
http://nid-tax.dns.army
http://27.102.137.150
http://udalyonka.com
http://27.102.137.38
http://check.nid-log.com/api
http://k-invoice.v6.navy
http://1nid-navercwu.servecounterstrike.com
http://noreplymail.space/BitJoker/bootservice.php
http://4nid-naverpep.servequake.com
http://verify.efine-log.kro.kr
http://nid-navertca.servehalflife.com
http://check.nid-log.com/api/bootservice.php?tag=<random
http://check.nid-log.com
http://check.nid-log.com/api/bootservice.php?
http://check.nid-log.com/api/bootservice.php
http://7nid-naverfxc.servecounterstrike.com
http://nid-log.com
http://130.94.29.111
http://118.194.249.109
http://tax-invoice.dns.army
http://ntax-doc.v6.rocks
http://deliver-doc.v6.navy
http://pay-tax.dns.navy
http://check.nid-log.com/api/finalservice.php
http://miss-tax.dns.navy
https://intel.breakglass.tech
http://nid-htl.duckdns.org
http://check.nid-log.com/api/checkservice.php
http://nid-log.electric-support.v6.rocks
130.94.29.111
51.79.185.184
162.255.119.150
38.60.220.135
27.102.137.38
118.194.249.109
27.102.138.45
27.102.137.150
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922
4599ac1bbe483c73064df1353feafd01
1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793
0ac44ad9cfbc58ed76415f7bc79239f9
d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b
85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8
af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f
rule Kimsuky_Bootservice_CHM_Dropper {
meta:
description = "Kimsuky CHM dropper delivering VBS stager via bootservice.php C2"
author = "GHOST - Breakglass Intelligence"
date = "2026-04-11"
reference = "https://intel.breakglass.tech"
strings:
$c2_1 = "bootservice.php" ascii wide
$c2_2 = "checkservice.php" ascii wide
$c2_3 = "finalservice.php" ascii wide
$c2_4 = "loggerservice.php" ascii wide
$drop = "Links\\Link" ascii wide
$ole = "Microsoft.XMLHTTP" ascii wide
$persist = "OfficeUpdater" ascii wide
$mutex = "AlreadyRunning19122345" ascii wide
$ua_1 = "Chremo/" ascii wide
$ua_2 = "Edgo/" ascii wide
condition:
any of ($c2_*) and any of ($drop, $ole, $persist, $mutex, $ua_*)
}
http://uncork.biz
http://51.79.185.184
http://nid-tax.dns.army
http://27.102.137.150
http://udalyonka.com
http://27.102.137.38
http://check.nid-log.com/api
http://k-invoice.v6.navy
http://1nid-navercwu.servecounterstrike.com
http://noreplymail.space/BitJoker/bootservice.php
http://4nid-naverpep.servequake.com
http://verify.efine-log.kro.kr
http://nid-navertca.servehalflife.com
http://check.nid-log.com/api/bootservice.php?tag=<random
http://check.nid-log.com
http://check.nid-log.com/api/bootservice.php?
http://check.nid-log.com/api/bootservice.php
http://7nid-naverfxc.servecounterstrike.com
http://nid-log.com
http://130.94.29.111
http://118.194.249.109
http://tax-invoice.dns.army
http://ntax-doc.v6.rocks
http://deliver-doc.v6.navy
http://pay-tax.dns.navy
http://check.nid-log.com/api/finalservice.php
http://miss-tax.dns.navy
https://intel.breakglass.tech
http://nid-htl.duckdns.org
http://check.nid-log.com/api/checkservice.php
http://nid-log.electric-support.v6.rocks
130.94.29.111
51.79.185.184
162.255.119.150
38.60.220.135
27.102.137.38
118.194.249.109
27.102.138.45
27.102.137.150
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922
4599ac1bbe483c73064df1353feafd01
1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793
0ac44ad9cfbc58ed76415f7bc79239f9
d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b
85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8
af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f
rule Kimsuky_Bootservice_CHM_Dropper {
meta:
description = "Kimsuky CHM dropper delivering VBS stager via bootservice.php C2"
author = "GHOST - Breakglass Intelligence"
date = "2026-04-11"
reference = "https://intel.breakglass.tech"
strings:
$c2_1 = "bootservice.php" ascii wide
$c2_2 = "checkservice.php" ascii wide
$c2_3 = "finalservice.php" ascii wide
$c2_4 = "loggerservice.php" ascii wide
$drop = "Links\\Link" ascii wide
$ole = "Microsoft.XMLHTTP" ascii wide
$persist = "OfficeUpdater" ascii wide
$mutex = "AlreadyRunning19122345" ascii wide
$ua_1 = "Chremo/" ascii wide
$ua_2 = "Edgo/" ascii wide
condition:
any of ($c2_*) and any of ($drop, $ole, $persist, $mutex, $ua_*)
}