Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger
This threat involves a multi-stage attack campaign attributed to the Kimsuky group, targeting Korean Naver users via credential phishing and tax authority impersonation. The attack chain starts with a CHM dropper file that leads to execution of a VBScript stager, which performs system reconnaissance and establishes persistence through scheduled tasks. A VBScript bridge then launches a PowerShell keylogger that monitors keystrokes and clipboard data, exfiltrating information on a timed basis. The attackers operated a C2 infrastructure with directory listing enabled, exposing full source code of all payload stages. The infrastructure spans multiple domains and IPs linked to Korean VPS providers and previously documented Kimsuky campaigns. No patch or remediation guidance is provided, and this is an ongoing campaign rather than a software vulnerability. The severity is assessed as medium based on the described impact and targeting.
AI Analysis
Technical Summary
Researchers analyzed a Kimsuky-attributed campaign using a CHM file (api_reference.chm) as a dropper initiating a three-stage attack chain. The first stage is a 6,338-byte VBScript that performs system reconnaissance and sets persistence via scheduled tasks. The second stage is a 449-byte VBScript that acts as a bridge to launch the third stage, a 6,234-byte PowerShell keylogger with clipboard monitoring and timed data exfiltration. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of the full source code for all payloads. The infrastructure includes over 79 domains and 5 IPs hosted on Korean VPS providers, linked to known Kimsuky infrastructure through shared DAOU Technology subnets. The operation targets Korean Naver users through credential phishing and tax authority impersonation. The server responded with a signature matching prior Kimsuky campaigns, indicating an upgraded Apache/PHP stack. This is a campaign-level threat with no direct software vulnerability or patch available.
Potential Impact
The campaign enables attackers to perform credential harvesting and persistent keylogging on targeted systems, potentially compromising user credentials and sensitive information. The multi-stage payload allows stealthy persistence and timed exfiltration of data. The targeting of Korean Naver users and tax authority impersonation suggests a focused espionage or information theft objective. The exposure of full source code from the C2 server could aid defenders in detection and mitigation but also confirms the sophistication and operational scale of the threat. There is no indication of exploitation beyond the described phishing and payload execution chain.
Mitigation Recommendations
No official patch or remediation is available as this is a threat campaign rather than a software vulnerability. Defenders should focus on user awareness to recognize phishing attempts, especially those impersonating tax authorities or related to Naver services. Network defenders can use the recovered source code and indicators from the referenced analysis to detect and block related payloads and C2 communications. Monitoring for scheduled tasks and PowerShell activity consistent with the described payloads may help identify infections. Since the C2 infrastructure is known and documented, blocking associated domains and IPs can reduce exposure. Patch status is not applicable; check vendor or threat intelligence advisories for updates on detection and prevention.
Indicators of Compromise
- ip: 51.79.185.184
- hash: 08815400eb034d0c760d031e735bd392
- hash: 0ac44ad9cfbc58ed76415f7bc79239f9
- hash: 4599ac1bbe483c73064df1353feafd01
- hash: 6d03fd0b89fe997408b9e9e3d5ead602
- hash: 6f90f6b96fe3a5b79c1935211f557a08
- hash: 51ab17a51cc000bbae89980082c57281c4c0b462
- hash: 66af61e3e376284f691d449d0042e8b2c1174278
- hash: 6aa51c23f0319a6b940072274adf47a0c29f27b6
- hash: a76af8176da28fdab47f9a77d50eb0e89f2b8557
- hash: f759ccb6886234c63a66abd6102c636a46d1eba8
- hash: 1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793
- hash: 7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b
- hash: 85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8
- hash: a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922
- hash: af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f
- hash: d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b
- ip: 118.194.249.109
- ip: 130.94.29.111
- ip: 162.255.119.150
- ip: 27.102.137.150
- ip: 27.102.137.38
- ip: 27.102.138.45
- ip: 38.60.220.135
- url: http://check.nid-log.com/api'
- url: http://check.nid-log.com/api/bootservice.php
- url: http://check.nid-log.com/api/bootservice.php?tag=
- url: http://check.nid-log.com/api/checkservice.php
- url: http://check.nid-log.com/api/finalservice.php
- url: http://noreplymail.space/BitJoker/bootservice.php
- yara: 22885ad517585b9f0c5bb9fdd785df00e7c0cfc0
- domain: nid-log.com
- domain: noreplymail.space
- domain: uncork.biz
- domain: withheldforprivacy.com
- domain: check.nid-log.com
- domain: chk.uncork.biz
- domain: miss-tax.dns.navy
- domain: nid-htl.duckdns.org
- domain: nid-navercwu.servecounterstrike.com
- domain: nid-naverfxc.servecounterstrike.com
- domain: nid-naverpep.servequake.com
- domain: nid-navertca.servehalflife.com
- domain: nid-tax.dns.army
- domain: pay-tax.dns.navy
- domain: tax-invoice.dns.army
- domain: verify.efine-log.kro.kr
Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger
Description
This threat involves a multi-stage attack campaign attributed to the Kimsuky group, targeting Korean Naver users via credential phishing and tax authority impersonation. The attack chain starts with a CHM dropper file that leads to execution of a VBScript stager, which performs system reconnaissance and establishes persistence through scheduled tasks. A VBScript bridge then launches a PowerShell keylogger that monitors keystrokes and clipboard data, exfiltrating information on a timed basis. The attackers operated a C2 infrastructure with directory listing enabled, exposing full source code of all payload stages. The infrastructure spans multiple domains and IPs linked to Korean VPS providers and previously documented Kimsuky campaigns. No patch or remediation guidance is provided, and this is an ongoing campaign rather than a software vulnerability. The severity is assessed as medium based on the described impact and targeting.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Researchers analyzed a Kimsuky-attributed campaign using a CHM file (api_reference.chm) as a dropper initiating a three-stage attack chain. The first stage is a 6,338-byte VBScript that performs system reconnaissance and sets persistence via scheduled tasks. The second stage is a 449-byte VBScript that acts as a bridge to launch the third stage, a 6,234-byte PowerShell keylogger with clipboard monitoring and timed data exfiltration. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of the full source code for all payloads. The infrastructure includes over 79 domains and 5 IPs hosted on Korean VPS providers, linked to known Kimsuky infrastructure through shared DAOU Technology subnets. The operation targets Korean Naver users through credential phishing and tax authority impersonation. The server responded with a signature matching prior Kimsuky campaigns, indicating an upgraded Apache/PHP stack. This is a campaign-level threat with no direct software vulnerability or patch available.
Potential Impact
The campaign enables attackers to perform credential harvesting and persistent keylogging on targeted systems, potentially compromising user credentials and sensitive information. The multi-stage payload allows stealthy persistence and timed exfiltration of data. The targeting of Korean Naver users and tax authority impersonation suggests a focused espionage or information theft objective. The exposure of full source code from the C2 server could aid defenders in detection and mitigation but also confirms the sophistication and operational scale of the threat. There is no indication of exploitation beyond the described phishing and payload execution chain.
Mitigation Recommendations
No official patch or remediation is available as this is a threat campaign rather than a software vulnerability. Defenders should focus on user awareness to recognize phishing attempts, especially those impersonating tax authorities or related to Naver services. Network defenders can use the recovered source code and indicators from the referenced analysis to detect and block related payloads and C2 communications. Monitoring for scheduled tasks and PowerShell activity consistent with the described payloads may help identify infections. Since the C2 infrastructure is known and documented, blocking associated domains and IPs can reduce exposure. Patch status is not applicable; check vendor or threat intelligence advisories for updates on detection and prevention.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery"]
- Adversary
- Kimsuky
- Pulse Id
- 69dd07742196e34ee1615b73
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip51.79.185.184 | — | |
ip118.194.249.109 | — | |
ip130.94.29.111 | — | |
ip162.255.119.150 | — | |
ip27.102.137.150 | — | |
ip27.102.137.38 | — | |
ip27.102.138.45 | — | |
ip38.60.220.135 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash08815400eb034d0c760d031e735bd392 | — | |
hash0ac44ad9cfbc58ed76415f7bc79239f9 | — | |
hash4599ac1bbe483c73064df1353feafd01 | — | |
hash6d03fd0b89fe997408b9e9e3d5ead602 | — | |
hash6f90f6b96fe3a5b79c1935211f557a08 | — | |
hash51ab17a51cc000bbae89980082c57281c4c0b462 | — | |
hash66af61e3e376284f691d449d0042e8b2c1174278 | — | |
hash6aa51c23f0319a6b940072274adf47a0c29f27b6 | — | |
hasha76af8176da28fdab47f9a77d50eb0e89f2b8557 | — | |
hashf759ccb6886234c63a66abd6102c636a46d1eba8 | — | |
hash1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793 | — | |
hash7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b | — | |
hash85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8 | — | |
hasha36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922 | — | |
hashaf50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f | — | |
hashd7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://check.nid-log.com/api' | — | |
urlhttp://check.nid-log.com/api/bootservice.php | — | |
urlhttp://check.nid-log.com/api/bootservice.php?tag= | — | |
urlhttp://check.nid-log.com/api/checkservice.php | — | |
urlhttp://check.nid-log.com/api/finalservice.php | — | |
urlhttp://noreplymail.space/BitJoker/bootservice.php | — |
Yara
| Value | Description | Copy |
|---|---|---|
yara22885ad517585b9f0c5bb9fdd785df00e7c0cfc0 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnid-log.com | — | |
domainnoreplymail.space | — | |
domainuncork.biz | — | |
domainwithheldforprivacy.com | — | |
domaincheck.nid-log.com | — | |
domainchk.uncork.biz | — | |
domainmiss-tax.dns.navy | — | |
domainnid-htl.duckdns.org | — | |
domainnid-navercwu.servecounterstrike.com | — | |
domainnid-naverfxc.servecounterstrike.com | — | |
domainnid-naverpep.servequake.com | — | |
domainnid-navertca.servehalflife.com | — | |
domainnid-tax.dns.army | — | |
domainpay-tax.dns.navy | — | |
domaintax-invoice.dns.army | — | |
domainverify.efine-log.kro.kr | — |
Threat ID: 69dd171882d89c981f12541a
Added to database: 4/13/2026, 4:17:28 PM
Last enriched: 4/13/2026, 4:31:51 PM
Last updated: 4/14/2026, 10:17:05 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.