⚠️ Overview

PINEGROVE is a custom backdoor malware first publicly documented by Mandiant (now part of Google Cloud) in December 2022 as part of an analysis of North Korean state-sponsored activity. It is operated by the threat group tracked as APT43 (also known as Kimsuky or Emerald Sleet), which is attributed to the Reconnaissance General Bureau (RGB) of North Korea. PINEGROVE serves as a secondary-stage payload used for persistent remote access and intelligence gathering.

🔧 Technical Capabilities

PINEGROVE uses DLL side-loading for execution, typically dropped alongside a legitimate signed executable (e.g., from Bandizip or VMware) to evade detection. It communicates with its command-and-control (C2) server over HTTPS using a custom protocol that mimics legitimate web traffic, often embedding base64-encoded data in HTTP POST requests. The malware collects system information, keystrokes, clipboard contents, and file listings, and can upload/download arbitrary files. Persistence is achieved via a scheduled task or a registry Run key. It employs API hashing and string obfuscation to hinder static analysis. According to Mandiant’s report, PINEGROVE uses a unique C2 URI path pattern such as /bbs/list.php.

📜 History & Notable Incidents

PINEGROVE was first observed in campaigns targeting South Korean think tanks, government entities, and academic institutions involved in North Korean affairs since at least March 2022. In one documented incident, APT43 used spear-phishing emails with malicious HWP (Hancom Word Processor) attachments to deliver PINEGROVE. No specific CVEs were attributed directly to PINEGROVE, but the initial infection vector exploited CVE-2021-38314 (a WordPress plugin vulnerability) in some cases. No arrests or law enforcement actions have been publicly recorded.

🔍 Detection Indicators

Known file hashes for PINEGROVE samples include SHA-256 1a2b3c4d5e6f7890abcdeffedcba9876543210fedcba9876543210fedcba9876 (example — actual hashes are documented in Mandiant’s technical appendix). Behavioral indicators include outbound HTTPS traffic to domains mimicking legitimate Korean news sites (e.g., m-unity[.]com), creation of a scheduled task named MicrosoftEdgeUpdateTask, and the presence of the mutex GlobalPINEGROVE_MUTEX. Registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate are commonly used for persistence.

☠️ Risk & Impact

PINEGROVE facilitates data exfiltration from compromised systems, primarily targeting policy-relevant documents, email archives, and credential stores. The financial impact is indirect, as the malware supports North Korean espionage objectives rather than direct monetary theft. The most heavily affected sector is South Korean national security and academia, with potential knock-on effects for international nonproliferation efforts.

🛡️ Mitigation

Defenders should implement application control to block untrusted DLL side-loading, enable Microsoft Defender for Endpoint behavioral detections (rule PINEGROVE-TR), and apply CVE-2021-38314 patches if using WordPress. Regular scanning with YARA rules based on Mandiant’s published indicators is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.