IOC Radar
SHA256HighVerifiedSignal 94/100

f1b33341b0dc25c84b92e6b3bc62125a216d62e746d06560a28f68deead406b9

Location
Korea, Democratic People's Republic ofKorea, Democratic People's Republic of
First Seen
Mar 12, 2025
Last Seen
Apr 9, 2026
Mar 12
First Seen
478d ago
Apr 9
Last Seen
85d ago
6
Reports
source reports
94%
Confidence
high
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
94%
Signal Score
94 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

56 techniques

Feed Intelligence Summary

6 reports94% confidence
6
Source reports
94%
Confidence score
Category tags
access trojanactive scananalysis androidandroid remoteapkapkpureaptapt27apt37apt43attackbattery drainbotnetbotnet activitybrute forcecall recordingchecks-gpschinacivil servicescode executioncommand and controlcommand executioncommunication technologiescompromised devicecredential accesscredential stuffingcredential theftcryptocurrencycryptocurrency threatscryptojackingdata exfiltrationdata store exposuredata theftdevice information gatheringdistributed attacksenglishenglish languageexecutable fileexploitation activityfile-hashfinancegoogle playgoogle play storegovernment technologyidentity & access exploitationindiaindicatorinformation technologyingress tool transferinjectioninjection activityit infrastructurejapankakaokakao securitykimsukykonnikoreakorea, democratic people's republic ofkoreankorean languagekorean threat actorkospykuwaitlazarusmalicious activitymalicious softwaremalwaremobilemobile carriersmobile device compromisemobile espionage campaignmobile malwaremobile networksmobile securitymobile spyware infectionmobile threatnepalnetwork traffic manipulationnorth koreaoperating systemprocess injectionpublic administrationpublic infrastructurepublic policyransomwareregulatory agenciesremote accessrepublic ofresearchedresource hijackingromaniaruntime-modulesrussian federationscarcruftsms interceptionsoftware developmentsoftware exploitationsoftware updatesoftware update exploitationstoret1003t1003 ost1005t1018t1021.001t1027t1027.002t1036t1041t1055t1055 processt1059t1059.004t1064t1068t1069.001t1071t1071.001t1078t1078 validt1078.004t1082t1105t1113t1114t1114.001t1123t1125t1133t1176t1189t1203t1204t1204.002t1486t1496t1499.002t1499.003t1514t1518t1518.001t1547t1547 boott1555t1560t1560.001t1562t1565t1566t1566.001t1588t1588.002t1592t1592.001t1592.002t1592.003t1592.004t1595t1595.001t1602telecom servicestelecommunicationsthreat actorthreat typetor nodetrojan malwareutilityutility app attackutility appsvalid accountsviet namwifi

Activity Timeline

1 total obs
Apr 9Apr 9

Threat Activity Heatmap

· Peak: 2026-04-09
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
94
SIGNAL
Signal Score
94%
Confidence
6
Reports
First seenMar 12, 2025
Last seenApr 9, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

description
Zip archive data, at least v0.0 to extract, compression method=deflate
references
https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37, https://bazaar.abuse.ch/export/csv/recent/, https://medium.com/@firiki.intell/north-korean-apt37-deploys-kospy-android-spyware-via-fake-utility-apps-696ed12ad7bd, https://www.virustotal.com/graph/embed/g506f2ed1352c4b26a7211a8a8d485bb7f36c4b53ad2f485997294edb24cf92d0?theme=dark, https://www.virustotal.com/gui/collection/8382490a95412c24071e2b222906a0c16bd0e64fe1f100fdb76824c50e0c4b7e/iocs, https://www.pcrisk.es/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 1 year ago · Last seen 2 months ago
Appeared in 6 threat reports