TLP:WHITE42 IOCs

Kimsuky targets organizations with PebbleDash-based tools

Securelist

Published May 14, 2026Original Report

Threat Actors

Diamond Model

Adversary(3)

Infrastructure(6)

Capability

Victim

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise42

Type	Indicator	Confidence	Score	First Seen
Domain	erp.spaceme.p-e.kr exploitintel-blognetwork	High	68	Jun 2, 26
MD5	5c373c2116ab4a615e622f577e22e9be exploitfile-hashintel-blog	High	61	Jun 2, 26
URL	https://www.pyrotech.co.kr/common/include/tech/default.php exploitintel-blognetwork	High	68	Jun 2, 26
MD5	995a0a49ae4b244928b3f67e2bfd7a6e exploitfile-hashintel-blog	High	61	Jun 2, 26
Domain	load.supershop.o-r.kr exploitintel-blognetwork	High	68	Jun 2, 26
Domain	load.auraria.org exploitintel-blognetwork	High	68	Jun 2, 26
URL	https://www.yespp.co.kr/common/include/code/out.php intel-blognetworkurl	High	68	Jun 2, 26
MD5	678fb1a87af525c33ba2492552d5c0e2 exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	58ac2f65e335922be3f60e57099dc8a3 exploitfile-hashintel-blog	High	61	Jun 2, 26
SHA1	bf9252a2fb45be6893dd8870c0bf37e2e1766d61 exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	d1ec20144c83bba921243e72c517da5e exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	8983ffa6da23e0b99ccc58c17b9788c7 file-hashintel-blogloader	High	61	Jun 2, 26
MD5	08160acf08fccecde7b34090db18b321 exploitfile-hashintel-blog	High	61	Jun 2, 26
Domain	node896147.dwservice.net indicatorintel-blognetwork	High	68	Jun 2, 26
URL	http://newjo-imd.com/common/include/library/default.php exploitintel-blognetwork	High	68	Jun 2, 26
MD5	f73ba062116ea9f37d072aa41c7f5108 exploitfile-hashintel-blog	High	61	Jun 2, 26
Domain	opedromos1.r-e.kr exploitintel-blognetwork	High	68	Jun 2, 26
Domain	load.yju.o-r.kr exploitintel-blognetwork	High	68	Jun 2, 26
Domain	load.ssangyongcne.o-r.kr exploitintel-blognetwork	High	68	Jun 2, 26
Domain	attach.docucloud.o-r.kr exploitintel-blognetwork	High	68	Jun 2, 26
MD5	9fe43e08c8f446554340f972dac8a68c exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	7e0825019d0de0c1c4a1673f94043ddb exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	52f1ff082e981cbdfd1f045c6021c63f file-hashintel-blogloader	High	61	Jun 2, 26
MD5	8e15c4d4f71bdd9dbc48cd2cabc87806 file-hashintel-blogloader	High	61	Jun 2, 26
Domain	node484265.dwservice.net indicatorintel-blognetwork	High	68	Jun 2, 26
URL	https://vscode.dev/tunnel aptespionageintel-blog	High	68	Jun 2, 26
Domain	cms.spaceyou.o-r.kr exploitintel-blognetwork	High	68	Jun 2, 26
MD5	f4465403f9693939fe9c439f0ab33610 exploitfile-hashintel-blog	High	61	Jun 2, 26
MD5	c42ae004badddd3017adadbdd1421e00 exploitfile-hashintel-blog	High	61	Jun 2, 26
Domain	node828765.dwservice.net indicatorintel-blognetwork	High	68	Jun 2, 26
MD5	c19aeaedbbfc4e029f7e9bdface495b9 exploitfile-hashintel-blog	High	61	Jun 2, 26
URL	http://female-disorder-beta-metropolitan.trycloudflare.com/index.php c2intel-blogmalware	High	68	Jun 2, 26
URL	https://file.bigcloud.n-e.kr/index.php c2intel-blogloader	High	68	Jun 2, 26
SHA1	1e3c50d64110be466c0b4a45222e81d2c9352888 file-hashindicatorintel-blog	High	61	Jun 2, 26
Domain	morames.r-e.kr exploitintel-blognetwork	High	68	Jun 2, 26
MD5	94faed9af49c98a89c8acc55e97276c9 exploitfile-hashintel-blog	High	61	Jun 2, 26
URL	https://vscode.dev/tunnel/” intel-blogmalwarenetwork	High	68	Jun 2, 26
Domain	load.erasecloud.n-e.kr exploitintel-blognetwork	High	68	Jun 2, 26
MD5	a7f0a18ac87e982d6f32f7a715e12532 exploitfile-hashintel-blog	High	61	Jun 2, 26
URL	https://www.dwservice.net/ intel-blognetworkurl	High	68	Jun 2, 26
MD5	65fc9f06de5603e2c1af9b4f288bb22c file-hashintel-blogloader	High	61	Jun 2, 26
MD5	9ca5f93a732f404bbb2cee848f5bbda0 exploitfile-hashintel-blog	High	61	Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph42 total IOCs

DomainMD5URLSHA1

scroll to zoom · drag to pan · click IOC to open