Introduction
In the ever-changing threat landscape, one thing remains constant: state-sponsored threat groups are persistent, patient, and lethal. Among these, Kimsuky, a North Korean advanced persistent threat (APT) group, has been linked to numerous cyber espionage campaigns targeting global institutions. Their latest campaign, dubbed Larva-24005, sees them weaponizing BlueKeep (CVE-2019-0708)—a critical, wormable Remote Desktop Protocol (RDP) vulnerability—to compromise high-value systems across South Korea and Japan.
Despite being patched in May 2019, BlueKeep remains a viable attack vector due to unpatched systems and outdated infrastructure. This blog post explores the techniques used by Kimsuky, their use of BlueKeep, additional vectors such as phishing and Equation Editor exploits, and the broader implications for global cybersecurity.
🕵️♂️ Who is Kimsuky?
Kimsuky (a.k.a. APT43, Velvet Chollima, Black Banshee) is a North Korean state-sponsored cyber espionage group, active since at least 2012. The group is primarily known for:
- Targeting think tanks, diplomatic organizations, defense contractors, and energy sector companies.
- Stealing sensitive information related to geopolitics, technology, and national security.
They are characterized by:
- Sophisticated phishing techniques
- Use of open-source tools
- Preference for stealth over speed
🔥 What is BlueKeep (CVE-2019-0708)?
🧩 Vulnerability Details
- CVE ID: CVE-2019-0708
- CVSS Score: 9.8 (Critical)
- Type: Remote Code Execution (RCE)
- Component: Remote Desktop Services (formerly Terminal Services)
- Affected Systems: Windows XP, Windows 7, Windows Server 2003, 2008, and 2008 R2
⚠️ Why Is It Dangerous?
BlueKeep is wormable, meaning it can spread automatically without user interaction, similar to WannaCry or NotPetya. If exploited, it allows unauthenticated attackers to:
- Execute arbitrary code remotely
- Install malware
- Steal data
- Create new user accounts with admin privileges
🐛 Larva-24005 Campaign: The New Exploitation Wave
🗂️ Campaign Name: Larva-24005
🕓 Timeframe: Since October 2023
🏳️ Targeted Countries:
- Primary: South Korea, Japan
- Others: U.S., China, Germany, Singapore, South Africa, Netherlands, Mexico, Vietnam, Belgium, UK, Canada, Thailand, Poland
🏭 Sectors Affected:
- Software Development
- Energy Infrastructure
- Financial Institutions
🚪 Initial Access Vectors
1. BlueKeep Exploitation (CVE-2019-0708)
ASEC found that in some compromised systems, initial access was gained by exploiting BlueKeep. While the RDP vulnerability scanner was discovered on breached systems, there’s no confirmed evidence of its direct use—suggesting either:
- Successful automated scans and exploit attempts
- Manual exploitation using pre-scanned lists
2. Phishing with Equation Editor Exploit (CVE-2017-11882)
In parallel, Kimsuky leveraged weaponized documents attached to phishing emails, exploiting a long-standing Microsoft Equation Editor vulnerability (CVE-2017-11882).
This vulnerability allows attackers to execute arbitrary code when a victim opens a malicious Office document—no macros required.
✅ Both exploits target unpatched systems, emphasizing the importance of timely security updates.
🧰 Post-Exploitation Toolset
Once access is gained, the group deploys a multi-stage attack:
💾 1. Dropper
- Deploys the initial payloads such as MySpy malware and RDPWrap utility.
🐞 2. MySpy Malware
- Gathers detailed system and network information
- Acts as a reconnaissance tool
- Enables persistence
🔧 3. RDPWrap Tool
- Modifies system settings to enable RDP access
- Circumvents restrictions on multiple RDP sessions
⌨️ 4. Keyloggers
- KimaLogger and RandomQuery
- Capture user keystrokes, passwords, and sensitive data
- Likely used for credential harvesting and privilege escalation
💥 Impact and Intent
🎯 Purpose of the Campaign
- Espionage: Collect sensitive information related to national security, foreign policy, and infrastructure.
- Lateral Movement: Once inside a network, Kimsuky seeks to pivot across systems, harvest credentials, and exfiltrate data.
⚠️ High-Risk Outcomes
- Compromised government communications
- Disrupted critical infrastructure
- Exposure of financial data
- Long-term surveillance and control
📈 Attack Lifecycle Summary
plaintextCopyEdit[Initial Access]
⬇
Exploit RDP BlueKeep (CVE-2019-0708)
OR
Phishing with Equation Editor Exploit (CVE-2017-11882)
⬇
[Execution]
Deploy Dropper → Install MySpy + RDPWrap
⬇
[Persistence]
Modify System Settings for RDP Access
⬇
[Credential Harvesting]
Keyloggers (KimaLogger, RandomQuery)
⬇
[Privilege Escalation & Lateral Movement]
⬇
[Data Exfiltration or System Control]
🛡️ How to Protect Your Organization
✅ 1. Patch Vulnerabilities
- Immediately apply updates for:
- BlueKeep (CVE-2019-0708)
- Equation Editor (CVE-2017-11882)
- Disable RDP if not needed.
🚫 2. Disable RDP on Public-Facing Systems
- If you need RDP, restrict access using:
- VPN
- Jump servers
- Firewalls
🔍 3. Monitor for RDPWrap
- RDPWrap is a known tool for bypassing RDP restrictions. Any detection of it on endpoints should trigger alerts.
✉️ 4. Improve Email Security
- Block or quarantine documents from untrusted sources.
- Deploy sandboxing and attachment scanning.
🔐 5. Implement Multi-Factor Authentication (MFA)
- Protects against credential reuse even if keyloggers are active.
🧠 6. User Awareness Training
- Train employees to recognize phishing emails.
- Use red team simulations to test phishing resistance.
🔍 Threat Hunting & Detection
Indicators of Compromise (IOCs)
- Presence of MySpy, KimaLogger, RandomQuery
- Registry edits to enable RDP
- Unexpected RDPWrap binaries
- Outbound RDP traffic to known North Korean IPs
- Office application launches that spawn cmd.exe or powershell.exe
Suggested Tools
- Sysmon + Sigma Rules
- ELK or Splunk
- EDR/XDR platforms
- Firewall logs for RDP port scanning
🤖 Kimsuky: Persistent and Evolving
Kimsuky demonstrates how even years-old vulnerabilities like BlueKeep continue to pose a threat when systems are left unpatched and exposed. Their ability to combine:
- Old CVEs
- Social engineering
- Custom malware
- Advanced reconnaissance
…makes them a formidable adversary for any nation or enterprise.
🎯 Security is not just about patching the latest zero-days—but also securing legacy weaknesses that persist in the shadows.
🔚 Conclusion
The Larva-24005 campaign is a chilling reminder that no vulnerability is ever truly gone if it remains unpatched somewhere. BlueKeep was a ticking time bomb in 2019—and for unpatched systems in 2025, it still is.
North Korean APTs like Kimsuky are weaponizing known vulnerabilities in combination with phishing and keyloggers to achieve deep network penetration. The attacks on South Korea and Japan highlight the urgent need for defense-in-depth, visibility into endpoint behaviors, and vulnerability management at scale.
💡 Actionable Takeaways
- Patch your Windows systems now—don’t leave BlueKeep unpatched.
- Monitor your environment for legacy tools like RDPWrap.
- Educate your employees to resist phishing attempts.
- Use threat intelligence to stay one step ahead.
📬 Stay Informed
Subscribe to our Cyber Threat Intelligence Newsletter for real-time alerts, incident reports, and global threat actor tracking.
🔖 SEO Tags:
CVE-2019-0708, BlueKeep exploit, Kimsuky APT, RDP vulnerability, North Korean cyber attacks, MySpy malware, KimaLogger, RandomQuery keylogger, Equation Editor exploit, CVE-2017-11882, APT43, state-sponsored threat group, South Korea cyber attacks, Japan cyber espionage
SoloSecurities
Add comment