Threat Intelligence

Dissecting Kimsuky’s Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure

EnkiWhiteHat

2025. 6. 19.

🌐You can also read this post in Korean

Executive Summary

A sophisticated spearphishing attack was detected in which Github was used as attack infrastructure to distribute malware.
The malware accesses the attacker’s private repositories using a hardcoded Github Personal Access Token (PAT).
Log files stored in the private repository revealed an IP address used by the attacker for testing purposes.
Analysis of the XenoRAT C&C indicated links to the North Korean threat group Kimsuky.

1. Overview

During analysis of malicious powershell script posted on X, a Github account that had been leveraged for attacks since March 2025 was discovered.

The malware contained a valid Github Personal Access Token (PAT) hardcoded by the attacker. We confirmed that this token was used to download malware from a private repository and upload information collected from victim systems.

The files present in the repository were identified as malware, decoy files, and information from infected systems, demonstrating that the attacker abused Github as attack infrastructure.

This report details the process of identifying attack infrastructure, analyzes the attack flow, and discusses its connection to the DPRK-nexus threat actor Kimsuky.

2. Attack Identification

This section explains how the attack infrastructure was identified, from defining the analysis target to discovering new links between pieces of information.

2.1. RAT Downloader Abusing Dropbox

The initial malware sample was identified in a post uploaded to X on April 7, 2025.

caption - A post on X mentioning the malware

The malware, implemented as a PowerShell script, downloads a file with an .rtf extension from Dropbox, overwrites the first seven bytes of the file with a GZIP header, and then decompresses it. The decompressed payload is subsequently executed in a fileless manner.

caption - Routine for modifying the header of the downloaded file, decompressing, and executing

The URL used to download the file is as follows:

https://dl.dropboxusercontent[.]com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf$dropboxBaseUrl?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0

The file was uploaded by a user named "minam park" and has been frequently modified since it was first uploaded on March 27. The last modification timestamp is May 26, 2025, at 4:47 PM.

caption - Document information of eula.rtf

The decompressed GZIP file is a .NET executable, obfuscated using a state machine approach. The class structure observed via dnspy matches that of XenoRAT.

caption - CodjkhioSSdieofmm class identified in the malware

caption - Compression class identified in the XenoRAT source code

The identified mutex name and C&C server address are as follows:

Mutex name: Dansweit_Hk65
C&C server address: 158.247.230[.]196:443

2.2. RAT Downloader Abusing Github

In addition, malware abusing Github was also identified. These malware use a hardcoded Github Personal Access Token (PAT) to download and execute malicious code from private repositories.

The URLs used to request the files are as follows:

https://raw.githubusercontent[.]com/Dasi274/star/main/xxx.rtf
https://raw.githubusercontent[.]com/luckmask/asp/main/xxx.rtf

The Github PAT hardcoded in the malware has repo scope, allowing access to all of the attacker's repositories. This PAT was used to identify and analyze the attack infrastructure.

3. Attack Infrastructure Analysis

Two Github accounts associated with attack were identified, and the malware downloads its payload by accessing one of the following accounts

caption - Attacker Account - Dasi274

caption - Attacker Account - luckmask

Both accounts were created in March 2025 and have no public repositories. As of the time of analysis, the token for the "luckmask" account had been revoked, while the token for the "Dasi274" account remained valid.

The obtained token has repo scope, granting read and write access to all repositories. This means that all private repositories and their components can be collected. Querying all repositories of Dasi274 via the API revealed five private repositories:

hole_311
hole_408
hole_409
hole_414
star

The email address identified from the commit logs is as follows:

janman8907@gmail.com

caption - Email Registered to Github Account

Each repository has a slightly different structure, and based on the decoy files and victim information, it was determined that each repository was linked to a spearphishing attack targeting specific individuals. The file structure of each repository is summarized in the table below.

| Repository Name | Decoy File Name | onf.txt (Infostealer) | ofx.txt (Downloader) | Log type | Boot Folder (Victim Info) | RAT Name |
| --- | --- | --- | --- | --- | --- | --- |
| hole_311 | tmp.docx, tmp.pdf | O | O | Attacker log, Victim log | O | Eula.rtf (XenoRAT) |
| hole_408 | tmp.txt | O | O | Attacker log | X | X |
| hole_409 | tmp.txt | O | O | Attacker log | X | X |
| hole_414 | tmp.pdf | O | O | Attacker log | X | X |
| star | tmp.pdf | O | O | Attacker log | X | xxx.rtf (XenoRAT)

caption - Structure of each repository

Similar types of repositories are categorized and summarized in the attack infrastructure analysis section. The detailed attack flow and in-depth malware analysis are covered in the attack analysis section.

3.1. hole_311

3.1.1. Decoy File

This repository was created on March 11 and contains two decoy files, tmp.docx and tmp.pdf, which are actually identical docx files. The decoy impersonates a South Korean law firm and takes the form of a debt repayment notice. While it does not specify personal information of the victim, it describes detailed debt records and includes a designated bank account to prompt payment.

caption - Decoy file impersonating a South Korean law firm’s debt repayment notice

3.1.2. /log Folder

The logs could be classified into two types based on their naming convention. Both victim infection logs and attacker test logs were present. The log file types are as follows:

Log files uploaded by a script executed once at initial infection: [ip]-[currentTime]-0956_info.txt
Log files uploaded every 30 minutes by a script registered in the Task Scheduler: [ip]-[currentTime]-XXX-kkk.txt

Type 1 log files contain information collected by the malware upon execution, including:

Last boot time
Windows OS name, version, build number, and architecture
Computer information
OS installation date
List of currently running processes

Type 2 log files contain only the last boot time. Examination of these files in the repository shows that victim logs are generated at precise 30-minute intervals.

caption - List of log files present in the repository

However, there are also type 2 log files that were not generated at 30-minute intervals, which appear to be attacker test logs. These appear to be test log files uploaded by the attacker, indicating that the attacker tested file uploads while switching between private and public IP addresses.

10.7.185[.]68
10.33.77[.]174
80.71.157[.]55
158.247.253[.]215
192.168.35[.]35

3.1.3. /boot Folder

This folder exists only in the hole_311 repository and contains keylogs from infected system. The following information can be found in these keylogging logs:

Titles of running processes
Titles of accessed web pages
Keystroke information ([LM], [Ctrl])
Clipboard history

All files follow the naming format [ip]-[currentTime]-XXX-kkk-key.txt, which is the same as the victim infection log files in the log folder, but with "key" appended. At the time of analysis, we were unable to observe the malware uploading these keylogs, so the exact creation process could not be confirmed.

3.1.4. Remote Accoess Trojan

The eula.rtf file stored in the repository has also been confirmed to be a compressed XenoRAT file. The mutex name and C&C server address are as follows:

Mutex name: Dansweit_Hk65
C&C server address: 216.244.74[.]115:80

caption - The structure of the malware in the hole_311 repository as viewed with dnSpy

3.2. star

3.2.1. Decoy File

This repository was created on March 11 and contains a decoy file which is a power of attorney document impersonating a South Korean law firm. It includes personal information of a specific individual and uses the same template as the decoy file in the hole_311 repository, impersonating the same law firm.

caption - Decoy file impersonating a domestic law firm’s power of attorney document

3.2.2. /log Folder

Only one private IP log file exists, and notably, the list of running processes includes "xeno rat server." This appears to be an attacker’s test log file, indicating the use of XenoRAT. The private IP address is as follows:

10.33.77[.]174

caption - List of running processes

3.2.3. Remote Accoess Trojan

The file is named xxx.rtf, and similarly to the previously mentioned eula.rtf, decompressing it reveals XenoRAT. The mutex name and C&C server address are as follows:

Mutex name: Dansweit_Hk65
C&C server address: 165.154.78[.]9:443

caption - The structure of the malware in the star repository as viewed with dnSpy

3.3. hole_408, hole_409, hole_414

3.3.1. Decoy Files

These repositories were created on April 8, April 9, and April 14, respectively. Please refer to the table and images below for information on the decoy files.

| Repository Name | File Name | Summary of File Contents |
| --- | --- | --- |
| hole_408 | tmp.txt | Cryptocurrency seed phrase |
| hole_409 | tmp.txt | Traffic accident confirmation document |
| hole_414 | tmp.pdf | Financial Supervisory Service account usage restriction and transfer request notice

caption - Decoy file information for each repository

caption - hole_409 – Traffic Accident Confirmation Document

caption - hole_414 – Financial Supervisory Service account usage restriction and transfer request notice

3.3.2. /log Folder

Only attacker test log files exist, and new IP addresses not observed in hole_311 were identified.

80.71.157[.]55
139.99.36[.]158: Newly identified IP address
158.247.253[.]215

4. Attack Analysis

The spearphishing email obtained during the analysis, and the attack in which malicious activity was actually carried out and victim information was uploaded represent separate incidents. The spearphishing email correspond to the attack case involving the hole_414 repository, while the malware distribution process is associated with the hole_311 repository.

To provide a comprehensive view of the overall attack flow, these separate cases have been consolidated into the attack analysis section.

caption - Attack Flow Diagram

4.1. Spearphishing Email

Analysis of attacker test log files revealed that the spearphishing email was sent from the IP address 158.247.253[.]215. The attacker impersonated the victim's legal representative and lured the victim into downloading and executing an attachment by claiming that another email received by the victim had been used for criminal purposes.

caption - Sent email

The sophistication of the attack was evident in the following points:

The victim's name found in the decoy file of the hole_414 repository matched the victim's name in the email.
The attacker first impersonated the Financial Supervisory Service, sending the victim an email about account usage restrictions and a "transfer request notice."
Next, the attacker sent another email to the victim, claiming that the previous email (step 2) had been used for criminal activity.
Ultimately, the attacker sent two emails to the victim, both designed to induce the execution of malicious code.

The attachment was a password-protected archive, with the password included in the email. The file name was "이메일 사본_계좌 사용 제한 및 이체 안내.zip" ("Email Copy_Account Usage Restriction and Transfer Notice.zip"), and a PDF file with the same name was found in the commit log of the hole_414 repository.

caption - Imformation of email attachment

caption - Commit log related to "Email Copy_Account Usage Restriction and Transfer Notice.pdf"

The attachment could only be downloaded by the sender and recipient, so it could not be obtained for analysis. According to a report by AhnLab on a similar case, the file inside the archive is suspected to be a malicious shortcut file containing PowerShell commands. When executed, the shortcut file performs the following actions:

Creates and executes malware (PowerShell script) in the Temp directory.
Downloads and executes a decoy file.
Creates and registers malware (PowerShell script) with the Task Scheduler.
- The scheduled task executes the malware (PowerShell script) every 30 minutes.
Downloads and executes an infostealer.

4.2. onf.txt – Infostealer

This section is based on analysis of the commit logs remaining in the hole_311 repository.

A PowerShell script, which is downloaded and executed only once upon initial infection, collects and transmits information from the compromised system.

caption - Routine for collecting infected system information

The script creates a file named [ip]-[MMdd_HHmm]-0956_info.txt in the %AppData%\Microsoft directory and records the collected system information. The details collected are as follows:

Last boot time
Windows operating system name, version, build number, and architecture
Computer information
Operating system installation date
List of currently running processes

Once the system information is written to the file, it is uploaded to the attacker's private repository under the /log path using a Github Personal Access Token (PAT).

caption - Routine for uploading collected information

4.3. ofx.txt

This is a script file that is downloaded and executed by the malware run via the Task Scheduler.

4.3.1. ofx.txt at the Time of the Last Commit

A file named [ip]-[MMdd_HHmm]-XXX-kkk.txt is created in the %AppData% directory, and the last boot time is written to this file. The file containing the last boot time is then uploaded to the attacker's private repository /log path using a Github PAT.

caption - Routine for generating infection notification logs

The attacker used these repeatedly uploaded logs in the repository to determine whether a victim was infected, and then changed the ofx.txt file to a RAT downloader so that it would be executed on the infected system.

Every 30 minutes, the scheduled task registered in the Task Scheduler is executed, and the malware run by the Task Scheduler downloads and executes the ofx.txt file from Github. If the attacker modifies the ofx.txt file, they can continuously execute any desired PowerShell script.

4.3.2. ofx.txt Immediately After Infection

Immediately after infection, the attacker modified the ofx.txt script to function as a RAT downloader. Both the downloading of malware and the uploading of log files are performed through the "hole_311 " repository; however, notably, the encoded RAT file xxx.rtf was downloaded from the "star" repository.

caption - ofx.txt file modified immediately after infection

4.3.3. ofx.txt After Attack Suspension

After no further victim information was uploaded following March 16, 2025, the attacker performed three test log uploads and then uploaded eula.rtf to the repository. The IPs used for test log uploads are as follows:

10.7.185[.]68
158.247.253[.]215
192.168.35[.]35

caption - Commit log after victim information upload was suspended

Additionally, a script was temporarily uploaded to download eula.rtf from the "hole_311" repository instead of xxx.rtf from the "star" repository. Finally, oft.txt was modified to a log transmission script, which can be seen in the latest commit.

4.4. XenoRAT

The final malware executed is xxx.rtf, which resides in the "star" repository. According to the commit log, xxx.rtf was first created on March 11, 2025, and was modified on March 21, 2025.

caption - Differences Before and After Modification

The differences between the old and new files are as follows:

Old rtf file: The assembly name is "Danty," and the strings are hardcoded in an obfuscated state.
New rtf file: The assembly name is "Solar," and the strings are dynamically loaded from the resource section.

According to the commit log sequence, the malware delivered to the victim was the old version of xxx.rtf, which was analyzed in detail.

The malware is a variant of XenoRAT, which is open-source on Github, and it has been obfuscated.

caption - Github XenoRAT Repository

The strings used by the malware are encrypted and decrypted through a dedicated method. Although the decryption method is heavily obfuscated, the core process is as follows:

Convert the Unicode string to a char array.
Retrieve a value from a 16-byte key in the resource section at the [seed & 0xf] index, then generate an XOR key by performing an OR operation with the seed.
Decrypt the char array using the XOR key.

caption - String decryption method

Through string decryption, the following configuration values were identified:

Mutex name: Dansweit_Hk65
C&C server address: 165.154.78[.]9

The port information is directly visible as an integer value in the IL code.

caption - Hardcoded port imformation

5. Additional Malware

5.1. XenoRAT

In C# files, the GUID is typically automatically generated by development environments such as Visual Studio when a project is initialized. Unless the attacker modifies it, all files compiled within the same project environment will share the same GUID. Leveraging this characteristic, additional malware samples were identified on VirusTotal using a string-based search query:

content:"12DE1212-167D-45BA-1284-780DA98CF901"

caption - XenoRAT GUID

As a result of this query, a total of four additional malware samples were identified. All of the samples exhibited the same string encryption method as the XenoRAT found in the star repository, in addition to sharing the GUID. The table below summarizes the hash, mutex name, and C&C server address for each sample, as confirmed through string decryption:

| Malware Hash | Mutex | C&C |
| --- | --- | --- |
| 0cb6e67f23ccebc3727f755be5140497 | Cheetah_0716 | 118.194.249[.]201:80 |
| 976ad041832082f2d304df12b61457cb | Cheetah_0716 | 118.194.249[.]201:443 |
| baf164d2a5066cab5772dc6ae4807f43 | Cheetah_0716 | 158.247.202[.]109:443 |
| a87659641e00d724de5662b14fe142e8 | Dansweit_Hk65 | 45.61.161[.]103:443 |
| f51a2ccb4b9b2bf163c81b525bfac08e | Dansweit_Hk65 | 216.244.74[.]115:80 |
| 10ce9409d8d1e72ea6439bec7cd7e4cd | Dansweit_Hk65 | 101.36.114[.]190:5724

caption - Additional malware sample information

Among these, another PowerShell script was also discovered that sends requests to the C&C server at 101.36.114[.]190:

85f5075610661c9706571a33548d7585

This PowerShell script deletes files named dose.vbs, processlist.zip, and processlist.txt from the Temp directory. Unused variables in the script also reference disk.txt, user.txt, and ip.txt.

caption - List of variables

The script collects system information and saves it to processlist.txt. The collected data includes:

IP information
Antivirus program names
List of running processes
Local disk information
Local user information
Operating system information

caption - Routine for collecting system information

After collecting system information, the script compresses the txt file into a zip archive, reads the zip data into memory, and deletes both files. The data stored in memory is then encoded in base64 and uploaded to the C&C server.

caption - Routine for uploading files

5.2. Dropbox URL

To identify RAT downloaders abusing Dropbox, additional malware samples were collected from VirusTotal using the following search query:

content:{7b5b436d646c657442696e64696e6728295d20506172616d2028} type:powershell

As a result, nine additional malware samples were found, though most of the files had already been deleted at the time of analysis. None of the URLs extracted from these samples are currently accessible.

caption - Additional File Information

The following Dropbox URLs were identified from the collected malware samples:

https://dl.dropboxusercontent[.]com/scl/fi/okglg167i8kuwna1m2lxm/bie70er.rtf?rlkey=473ofwk5bcqsehgyw4dxs2ibv&st=ecned2g2&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xd8p74rqgv9dw&st=oofgjsq8&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/67j5162v19rtngxkexau5/bie70er.rtf?rlkey=2kdy91rrcugaueif7aucd8b0d&st=mflxxjq7&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/ti6rphsns0xsvx1ekb02f/bie70er.rtf?rlkey=ug5wa6p2tzyq9rukv51dx4ity&st=hpuv2uwd&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/bifls0sn1nx1b52adydyn/tt7024.rtf?rlkey=le9xhv7v9clh9sof5787wl3da&st=rz6k0vgl&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/3z2lxx1aor5g82e86c6ru/panel.rtf?rlkey=zaafvohxvwgvnfv383oe1vmt5&st=umtc7teu&dl=0 https://dl.dropboxusercontent[.]com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?rlkey=l6gzro1rswkqbk6tinxnkuylv&st=iv78c1cg&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/hpv3jd8o9annkala8vskb/hhopp.rtf?rlkey=nmwknu8l1ormxcmvo77ehhwr8&st=y99kquph&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/bqicute746gcts2utf903/pong_race.rtf?rlkey=53r0g9f69khan7zkgzkc9ox90&st=nry1hb3s&dl=0

6. Attribution

6.1. Test IP Correlation

The IP address 80.71.157[.]55 appears in nearly all repository log files and serves as a test IP address used by the attacker in the attack scenarios. Notably, this same IP address was also used for testing purposes in the 2024 MoonPeak case. The MoonPeak campaign was operated by UAT-5394, a group believed to be either a sub-group or directly affiliated with Kimsuky, a DPRK-nexus threat actor.

6.2. XenoRAT Samples with Identical Build Environments

During the process of collecting additional malware samples, GUID values were utilized. In C# projects, GUIDs are typically generated automatically by development environments such as Visual Studio when a project is created. Unless the attacker deliberately changes them, all files compiled within the same project environment will share the same GUID. Leveraging this characteristic, six additional malware samples were identified, and several commonalities were observed.

Of the six samples, five used the same string encryption method as the XenoRAT analyzed in this report. The hashes of these five samples are:

0cb6e67f23ccebc3727f755be5140497
976ad041832082f2d304df12b61457cb
baf164d2a5066cab5772dc6ae4807f43
10ce9409d8d1e72ea6439bec7cd7e4cd
f51a2ccb4b9b2bf163c81b525bfac08e

The remaining sample (a87659641e00d724de5662b14fe142e8) has strings that are obfuscated and hardcoded, similar to the pre-modification xxx.rtf in the star repository. These findings strongly suggest that the samples originate from the same attacker, which is further supported by the next section on XenoRAT C&C servers used in phishing attacks.

6.3. XenoRAT C&C Server Used in Naver Phishing Attacks

Among the additional XenoRAT samples, one (baf164d2a5066cab5772dc6ae4807f43) was found to use the C&C server address 158.247.202[.]109, which is currently being used as a Naver phishing site. The site displays the string "Million OK!!!!" and utilizes domain naming conventions such as "p-e.kr," which are known to be used by the North Korean threat group "Kimsuky".

caption - "Million OK!!!!" displayed when connecting to the C&C server

The phishing page can be accessed via the following URL:

http://158.247.202[.]109/invoice/?wreply=&m=https%3a%2f%2fnid.naver[.]com%2fnidlogin[.]login%3furl%3dhttp%253a%252f%252fmail.naver[.]com%252f

caption - Naver Login Phishing Site

These correlations-shared test IP addresses referenced in other reports, the use of a XenoRAT C&C server for a Naver phishing page, and the identical build environment and string encryption methods among the malware samples—collectively indicate a strong connection between the attacker analyzed in this report and the DPRK-nexus threat actor Kimsuky.

7. Course of Action

7.1. Avoid Downloading and Executing Suspicious Email Attachments

Attackers meticulously design their campaigns by creating separate repositories for each target and attack period, using decoy files tailored to specific victims. The precision of these attacks is evident in emails and decoy files that mention personal information and impersonate representatives of trusted organizations, such as law firms.

caption - Email sent to the target

Therefore, if you receive an email containing attachments or links, you should refrain from downloading or executing them immediately. It is advisable to use file scanning services like VirusTotal to check attachments first.

However, keep in mind that if a password is set on a compressed file, VirusTotal is unable to inspect its contents. For this reason, it is safest not to download or execute attachments from emails with unclear origins.

8. Conclusion

This report analyzed a attack targeting individuals in South Korea where the DPRK-nexus threat actor Kimsuky actively utilized private Github repositories as attack infrastructure. The attacker managed not only the malware used in attacks but also uploaded and maintained infected system log files and exfiltrated information in private repositories using Github Personal Access Tokens (PATs). Since the token for the "luckmask" account had expired, we were unable to analyze it, but a new token may have been issued for use in other attacks.

Additionally, approximately 10 different Dropbox URLs used to distribute XenoRAT have been identified since March, indicating that numerous spearphishing attacks are continually being executed beyond the analyzed cases. This ongoing activity highlights the persistent and evolving nature of Kimsuky's operations, including their use of both Github and Dropbox as part of their infrastructure.

Attackers are employing increasingly sophisticated and meticulous methods to ensure malware infection. Users should always verify the trustworthiness of email sources—even if the sender appears familiar—and use security solutions or services like VirusTotal to preemptively scan attachments for malware. Remaining vigilant and adopting proactive security measures are essential to defending against these advanced threats.

9. Appendix

Appendix A. MITRE ATT&CK Matrix

| Tactics | Techniques |
| --- | --- |
| Initial Access | T1566.001: Phishing: Spearphishing Attachment |
| Execution | T1059.001: Command and Scripting Interpreter: PowerShell-nT1059.003: Command and Scripting Interpreter: Windows Command Shell-nT1059.007: Command and Scripting Interpreter: JavaScript-nT1204.002: User Execution: Malicious File |
| Persistence | T1053.005: Scheduled Task/Job: Scheduled Task |
| Defense Evasion | T1027.010: Obfuscated Files or Information: Command Obfuscation-nT1140: Deobfuscate/Decode Files or Information |
| Discovery | T1057: Process Discovery-nT1082: System Information Discovery |
| Collection | T1115: Clipboard Data-nT1056.001: Input Capture: Keylogging |
| Exfiltration | T1567.001: Exfiltration Over Web Service: Exfiltration to Code Repository-nT1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| Command and Control | T1102: Web Service-nT1071: Application Layer Protocol: Web Protocols-nT1571: Non-Standard Port-nT1132.001: DataEncoding: Standard Encoding-nT1573.001: Encrypted Channel: Symmetric Cryptography

caption - MITRE ATT&CK

Appendix A. IOCs

md5

a56edfef94008c77abfb4e151df934d9
30d5f17d5e3f85be18220a7cab0b9fff
5e9a80d3d4f71ecd8bf8e579a5e2449c
f692c1dd797f68c34744a377482c4ed4
b77e4e9f5897f00dcbd08b2ee9bde7e8
74b1d5f857a4245aef8189ac4f409a99
6cbc007799b56682ac196e44d79e496d
a9d80e7fe3f217ea4d33f8a4a0f3f73c
57015267d06b0d80721015ccd29a04cd
5076c579e378f976a57e862e5b6a7859
45ed6abfc12be606bdbcfe76bd17b2af
b36159563452d9a837a5e566ad2a1e44
522a122f3cd4c488a51d81c846bfabbb
c2f88038d431bb190454fae02225e639
d0a8cd7584547bdb2959f0d1008e6871
b13ffe7b8e351291250f1a3a855134aa
1dee4c60fffcc80eb4bbd523eedab2f4
8c84d7f559cf0947fbf1981a0acb8a35
acd2d728ee4d1110521524c1eac6204e
157d1b1798f0f370a95125253e039c18
b99c1d9bf70be5172a8b36b098c67ee5
8c561a53085651d7f47b24129c2cd2d0
7df07ecb0b516df085a5ee95ed8e6560
af999c3c615b56691d75e8c877e185fb
5be0527f5c84208371761cee852f0d7c
f51a2ccb4b9b2bf163c81b525bfac08e
10ce9409d8d1e72ea6439bec7cd7e4cd
a87659641e00d724de5662b14fe142e8
1808bd4919c5943096a4a19784d6b8de

C&C

80.71.157[.]55
139.99.36[.]158
158.247.253[.]215
165.154.78[.]9
141.164.41[.]17
118.194.249[.]201
158.247.202[.]109
45.61.161[.]103
101.36.114[.]190
216.244.74[.]115
158.247.230[.]196

Dropbox URL

https://dl.dropboxusercontent[.]com/scl/fi/okglg167i8kuwna1m2lxm/bie70er.rtf?rlkey=473ofwk5bcqsehgyw4dxs2ibv&st=ecned2g2&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xd8p74rqgv9dw&st=oofgjsq8&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/67j5162v19rtngxkexau5/bie70er.rtf?rlkey=2kdy91rrcugaueif7aucd8b0d&st=mflxxjq7&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/ti6rphsns0xsvx1ekb02f/bie70er.rtf?rlkey=ug5wa6p2tzyq9rukv51dx4ity&st=hpuv2uwd&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/bifls0sn1nx1b52adydyn/tt7024.rtf?rlkey=le9xhv7v9clh9sof5787wl3da&st=rz6k0vgl&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/3z2lxx1aor5g82e86c6ru/panel.rtf?rlkey=zaafvohxvwgvnfv383oe1vmt5&st=umtc7teu&dl=0 https://dl.dropboxusercontent[.]com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?rlkey=l6gzro1rswkqbk6tinxnkuylv&st=iv78c1cg&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/hpv3jd8o9annkala8vskb/hhopp.rtf?rlkey=nmwknu8l1ormxcmvo77ehhwr8&st=y99kquph&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/bqicute746gcts2utf903/pong_race.rtf?rlkey=53r0g9f69khan7zkgzkc9ox90&st=nry1hb3s&dl=0