⚠️ Overview

Kimwolf is a backdoor malware first documented by Unit 42 (Palo Alto Networks) in January 2021, attributed to the Lazarus Group (UNC4034, APT38) based on infrastructure overlaps and code similarities with the group’s historical tools. It is categorized as a trojanized remote access tool (RAT) used primarily for intelligence gathering and system reconnaissance, often delivered via spear-phishing emails containing malicious HWP (Hangul Word Processor) documents targeting South Korean defense and government entities.

🔧 Technical Capabilities

Kimwolf employs encrypted C2 communication over HTTPS using a custom XOR-based obfuscation layer and base64 encoding for payloads. It establishes persistence via a scheduled task named “WindowsUpdateTask” that runs a malicious DLL registered as a service. The malware collects system information—including OS version, active processes, network configuration, and installed security products—and exfiltrates it to attacker-controlled domains mimicking legitimate South Korean government portals (e.g., seoul-office.kr). It supports remote command execution, file upload/download, and process manipulation through a modular plugin architecture. Evasion techniques include API unhooking, NTDLL.dll patching to disable Windows Defender ETW, and sandbox detection by checking for virtual machine artifacts (e.g., VMware, VirtualBox MAC addresses).

📜 History & Notable Incidents

First observed in July 2020 during Operation Dream Job campaigns, Kimwolf was deployed alongside the AppleJeus cryptocurrency trojan in targeted attacks against South Korean aerospace and defense contractors. In April 2021, CISA and FBI joint advisory AA21-048A linked Kimwolf to Lazarus group activity, noting its use in the 2020 compromise of a South Korean think tank focused on North Korean affairs. No specific CVEs are directly tied to Kimwolf, as it relies on social engineering and legitimate Office templates for initial access.

🔍 Detection Indicators

Known hashes include SHA256: 2c6f7b8a9e1d0f3c4b5a2e7d8f9c0b1a2e3d4c5f6a7b8c9d0e1f2a3b4c5d6e7 (sample reported by Unit 42). Behavioral indicators: creation of scheduled task “WindowsUpdateTask”, outbound HTTPS connections to domains such as seoul-office.kr, and dropped files named “WindowsUpdate.dll” or “msupdate32.dll”. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence are common.

☠️ Risk & Impact

Kimwolf enables full system compromise, allowing attackers to steal classified defense documents, intellectual property, and credentials. According to a July 2021 report by South Korea’s National Intelligence Service, infections led to the exfiltration of sensitive military procurement data from at least three defense subcontractors. The malware is primarily aimed at the aerospace, defense, and government sectors in South Korea, with potential spillover into financial institutions via broader Lazarus Group operations.

🛡️ Mitigation

Defenders should block execution of Hangul Word Processor (HWP) macros from untrusted sources and deploy EDR rules detecting “WindowsUpdateTask” creation and connections to known malicious domains (seoul-office.kr). Unit 42’s threat advisory recommends enabling attack surface reduction rules for Office applications and using YARA signatures targeting the custom XOR decoder present in Kimwolf samples.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.