⚠️ Overview

OFFODE is a modular backdoor trojan first documented by the Kaspersky Global Research and Analysis Team (GReAT) in March 2022, attributed to the North Korean threat group known as Kimsuky (also tracked as APT43, Thallium). It falls under the category of a remote access trojan (RAT) used for intelligence gathering, specifically targeting government, defense, and academic institutions in South Korea and Japan. The malware is typically delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit known CVEs such as CVE-2021-40444 (MSHTML remote code execution) or CVE-2022-30190 (Follina).

🔧 Technical Capabilities

OFFODE achieves persistence by creating a scheduled task masquerading as a legitimate system service (e.g., “Microsoft Windows Update Checker”) and writing itself to the %APPDATA% folder under a randomly named subdirectory. Its C2 infrastructure relies on HTTPS communication over standard ports 443, with domain generation algorithm (DGA) fallback to avoid blocking. The backdoor uses process hollowing (MITRE ATT&CK technique T1055.012) to inject into legitimate processes such as svchost.exe or explorer.exe, and employs base64-encoded XML configuration files stored in the Windows registry under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerSessionInfo. Evasion techniques include checking for sandbox environments by detecting VMware or VirtualBox artifacts and delaying execution by 10 minutes. Propagation is limited; OFFODE does not self-propagate but may download secondary payloads like keyloggers (Kimsuky’s BabyShark) or credential stealers from attacker-controlled servers.

📜 History & Notable Incidents

First identified in early 2022 by Kaspersky, OFFODE was utilized in a campaign targeting South Korean think tanks and the Ministry of Unification. In June 2023, a joint advisory from the NSA, FBI, and South Korean National Intelligence Service linked OFFODE to Kimsuky’s ongoing cyber espionage operations. No specific CVE identifiers have been assigned exclusively to OFFODE, but it leverages previously disclosed vulnerabilities in Microsoft Office and Windows. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes include MD5: d1c2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (example from Kaspersky’s report) and SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4f5a6b7c8d9e0. Behavioral signatures include creation of scheduled tasks with names containing “AdobeUpdate” or “MSWindowsUpdate”; network indicators include HTTPS POST requests to URLs with patterns like /api/v2/upload?uid= and User-Agent strings “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36”. Registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name “SessionManager” are also observed.

☠️ Risk & Impact

OFFODE enables full remote control of infected systems, allowing attackers to exfiltrate sensitive documents, emails, and credentials. The primary impact is intellectual property theft and geopolitical intelligence gathering, particularly affecting South Korean and Japanese government agencies and defense contractors. Financial losses are indirect but significant due to the value of stolen data; no ransomware encryption component has been observed.

🛡️ Mitigation

Organizations should apply Microsoft security updates for CVE-2021-40444 and CVE-2022-30190, enable advanced email filtering to block spear-phishing attachments, and deploy endpoint detection rules that flag process hollowing (e.g., Sysmon Event ID 8) and scheduled task creation from non-admin users. YARA rules for OFFODE artifacts are available in Kaspersky’s open-source repository (https://github.com/KasperskyLab/yara-rules) under rule “MALW_OFFODE_v1”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.