ZeroDay Field Notes - When the same names keep showing up

This week felt like a North Korean greatest-hits album. Kimsuky (APT43) keeps tightening its credential-theft playbook with Russian sender infrastructure, LNK icon smuggling, multi-stage scripting, and Dropbox for C2. The group's execution chains have evolved, but the core TTPs (phishing, valid account abuse, cloud service living-off-the-land) are stubbornly familiar. Two new reports (HivePro, malwareanalysisspace) add fresh IOCs and detection notes, but the tradecraft itself hasn't fundamentally changed since last year's coverage.

That pattern of incremental refinement rather than reinvention shows up across several campaigns this week. Whether it's APT36 swapping HTA for MSI packages or commodity loaders tweaking their obfuscation, the underlying ideas are evolutionary, not revolutionary. Treat these as signal-strength updates, not some grand new phase of wizardry.

Kimsuky's Persistent Credential Playbook

North Korea-linked Kimsuky continues credential-theft operations against Korean organizations and global targets using Russian-sourced phishing infrastructure. The group delivers LNK files that spawn multi-stage chains (PowerShell -> VBS -> PS1 -> BAT -> Python backdoor), abuses Dropbox for C2 and exfiltration, and leans on hidden directories plus Task Scheduler for persistence.

Recent reporting also highlights a move toward Python-based backdoors and refined LNK icon smuggling to get past email filters. The TTPs mostly overlap with earlier waves, but the updated IOC sets (domains, IPs, hashes, and task names) are still worth hunting. Blue teams should watch LNK-to-PowerShell parent-child relationships, scheduled task creation, and Dropbox token abuse.

Hunting note: Look for winword.exe or explorer.exe spawning cmd.exe -> powershell.exe with -windowstyle hidden. Scheduled tasks named with Korean-language strings or random GUIDs writing to %AppData% are a strong signal. For Dropbox abuse, hunt for API calls to content.dropboxapi.com from non-browser processes, especially PowerShell or Python interpreters. MITRE mappings: T1566.001 (Spearphishing Attachment), T1053.005 (Scheduled Task), T1567.002 (Exfiltration to Cloud Storage), T1027.012 (LNK Icon Smuggling).

Docker Exposed APIs Still Feeding the Crypto Miners

Misconfigured Docker Remote APIs keep getting harvested at scale. Attackers tunnel traffic through Tor, deploy zstd-compressed XMRig miners, install SSH backdoors, and attempt container escape by mounting the host root filesystem. The campaign still hits technology, financial services, and healthcare cloud environments.

The technique is old news, but the persistence of exposed APIs and Tor-backed C2 says defenders are still tripping over basic container hardening. Restrict the Docker API to trusted networks and run containers as non-root. That part remains boring because it works.

Recon tip for engagements: Shodan dork: port:2375 product:"Docker" or port:2376 "Docker" will show you how many clients are still leaving the front door open. Censys equivalent: services.port=2375 AND services.banner:"Docker". If you find one on an engagement, docker -H tcp://<target>:2375 run -v /:/hostroot -it alpine chroot /hostroot is the whole play. Report it, don't mine on it.

SystemBC (Coroxy), still the Swiss Army knife for ransomware affiliates

SystemBC, active since at least 2018, continues to serve as a proxy and backdoor for more than a dozen ransomware groups. The malware establishes SOCKS5 tunnels, maintains persistent access, and delivers secondary payloads. It has outlived multiple takedown attempts and still sits on a botnet north of 10,000 devices.

Its appeal is almost insulting in its simplicity: PowerShell with hidden windows, registry Run keys containing "socks5", taskeng.exe spawning from ProgramData paths, and cmd.exe self-deletion via ping. Hunt the behavior, not the vanity signature.

Why this is hard to catch: SystemBC's SOCKS5 proxy blends C2 traffic into normal egress, so signature-based detection is unreliable. The groups running it include BlackBasta, Conti/WizardSpider, Hive, PLAY, CUBA, DarkSide, Egregor, and Rhysida, among others. If you're emulating any of these crews, SystemBC belongs in your staging toolkit. For defenders: hunt taskeng.exe parent processes from C:\ProgramData\*, registry Run keys with "socks" in the value, and cmd.exe /c ping 127.0.0.1 -n 5 & del self-deletion patterns.

Other Notable Activity

• WarZone RAT via DBatLoader: Classic phishing chain using HTML attachments with base64 payloads. The infrastructure (halal.home-webserver.de:3109) may be historical, but the loader patterns still matter.
• Linux rootkit via Ivanti: Sophisticated LKM hooking Netfilter for TCP interception and procfs-based C2. Persistence via rc.local. Relevant for anyone still running unpatched Ivanti appliances.
• JetBrains TeamCity CVE-2024-27198: Still being exploited by Kimsuky and ransomware operators. Roughly 500 exposed instances were reported. Patch it or isolate it now.
• Pikabot via JAR attachments: TA577 continues delivering the loader through email. JAR-based execution still slips past a depressing number of gateways.
• DarkGate MaaS loader: Seven-stage chain with signed MSI, DLL sideloading, XOR, AutoIt, and in-memory shellcode. SANS ISC guest diary has solid reversing notes and detection angles.
• BTMOB RAT v2.5-v3.2: Zimperium's recent coverage shows the latest Android campaign dropping BTMOB RAT with overlay abuse and accessibility tricks aimed at screen-lock credentials and financial apps.
• Hydrosystem ICS software vulnerabilities: CERT Polska reported three flaws, CVE-2026-4901, CVE-2026-34184, and CVE-2026-34185, affecting Hydrosystem Control System software. Patch immediately.
• DotStealer: .NET infostealer using Telegram C2 with Rot13-encrypted tokens. Older sample, same stale tricks.
• Malicious Cursor AI extensions: A fake "Solidity Language" extension on Open VSX stole $500k in crypto from a developer via ScreenConnect and Quasar RAT. Separately, the broader GlassWorm campaign has been hitting VS Code, Cursor, Windsurf, and OpenVSX by abusing trusted extension ecosystems.
• LummaC2 latest variant: Advanced anti-analysis, Heaven's Gate, ETW patching, sandbox evasion, 80+ browser targets, and the usual IOC dump.
• SideCopy (APT36): Shifted from HTA to MSI staging, expanded targeting of Indian government sectors, and kept the multi-platform focus.
• Brute Ratel C4 loading Latrodectus: In-memory loading via MSI/rundll32. Loader tradecraft keeps getting slicker, because apparently subtlety is for amateurs.

RomCom zero-days: The Russia-aligned group chained Firefox use-after-free CVE-2024-9680 with Windows Task Scheduler elevation flaw CVE-2024-49039 in current reporting. Comprehensive IOCs are in ESET's writeup.

C2 intel for emulation: The chain is clean: victim visits a lure domain -> Firefox RCE via use-after-free in the animation timeline component (CVE-2024-9680) -> shellcode drops an embedded library -> Windows Task Scheduler escalation (CVE-2024-49039) breaks the sandbox -> RomCom backdoor lands with full user-context access. The Firefox bug was zero-click from a crafted page. If you're building browser-based initial access scenarios, this is a reference implementation. For blue teams: Mozilla patched within 24 hours of ESET's report; if your Firefox fleet isn't on 131.0.2+, you're exposed.

Closing Thoughts

Most of what hit this week is iteration, not invention. Kimsuky and the Iranian crews keep refining the same playbooks; criminal operators keep leaning on MaaS kits and supply-chain vectors that already work. The basics (exposed APIs, unpatched edge gear, extension marketplaces with no real vetting) are still the easiest front door.

The thing worth watching: more attackers are weaponizing developer tooling and cloud services as staging infrastructure. AI-assisted dev environments are the next trust boundary everyone's going to learn the hard way. If you're running extensions you didn't audit, you're volunteering for someone else's red team.

Stay frosty out there. 

~ UncleSp1d3r