Welcome to the VB2021 conference!

Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?

Jaeki Kim (S2W), Sojun Ryu (S2W) & Kyoung-ju Kwak (S2W)
partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

In the process of tracking the attacks of the Kimsuky group, which are still attacking after the KHNP cyber terror attack, we discovered a malicious code called "AppleSeed" in the wild and released details of it at VB2019. (https://www.virusbulletin.com/conference/vb2019/abstracts/kimsuky-group-tracking-king-spear-phishing))

Since then, AppleSeed malware and the simple pivoting of servers have relentlessly pushed other victims, with those cases reported in technical articles written by security companies and via SNS messages by security practitioners. However, although AppleSeed is still actively working in the real world, the full-chain attack leveraging AppleSeed has not been clearly disclosed so far.

Thus, to shed some light on this sophisticated attack scenario, we conducted an in-depth analysis of the full-chain attack of AppleSeed; from the initial penetration to the final damage targeting scientific/engineering researchers among various attack cases, and named it “Operation Newton”.

In our analysis, we identified the initial penetration method, tools used in the attack including AppleSeed, and infrastructure such as C&C servers. In addition, we discovered and analysed artifacts related to attacks targeting multiple platforms (Linux environments other than Windows).

Also, using first-hand artifacts and IoCs obtained in the process of analysing and investigating actual accidents related to AppleSeed, rather than data obtained from the OSINT channel, a correlation analysis with other attacks (incidents) of the Kimsuky group was conducted.

In the course of tracking AppleSeed, an attacker's mistake (OPSEC fail) was discovered in addition to the previously disclosed content.

And in this process, we expected to share information about the "mobile version of AppleSeed" and server-side scripts (which have not been disclosed) to understand and analyse the communication method and server configuration method.

In this presentation, we intend to provide threat intelligence related to the Kimsuky group by sharing previously unknown details.

Got a question about this presentation? To get in touch with the speakers, contact Jaeki Kim by email on [email protected] or on Twitter at @2runjack2.
Jaeki Kim

Jaeki Kim is a principal researcher at TALON, S2W. He graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree from Korea University's Security Analysis and Evaluation Lab. Before joining the S2W, he worked as part of the Computer Emergency Analysis Team of the Financial Security Institute and was the main author of "Campaign DOKKAEBI: Documents of Korean and Evil Binary", published by FSI in 2018. In 2020, He joined S2W and is currently working in TALON (the Cyber Threat Intelligence Group), and now also works as a mentor for KITRI's BoB program. He has previously presented at Virus Bulletin (2018,2019) and ISCR (International Symposium on Cybercrime Response).

Sojun Ryu

Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analysing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. Recently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at TALON, S2W.

Kyoung-ju Kwak

Kyoung-ju Kwak is a director at TALON, CTI Group of S2W. Kyoung-ju currently works on threat intelligence. Kyoung-ju was previously Adjunct Professor at Sungkyunkwan University and audited the National SCADA system and the Ministry of Land with “the Board of Audit and Inspection of Korea” as an Auditor General in 2016. He currently acts as a member of the National Police Agency Cybercrime Advisory Committee. Kyoung-ju is the main author of the threat intelligence report “Campaign Rifle: Andariel, the Maiden of Anguish”, published in 2017. He has spoken at various international conferences such as BlackHat Europe, BlackHat Asia, Kaspersky SAS, HITCON, PACSEC, and more.