PEBBLEDASH
PebbleDash is a Windows backdoor/beaconing implant malware family identified by the U.S. government as PEBBLEDASH and associated with North Korean activity tracked as HIDDEN COBRA. It is also described as a NukeSped variant historically associated with Lazarus, and later observed in Kimsuky operations, including alongside AppleSeed. Reporting states that Kimsuky has used PebbleDash in multi-stage spear-phishing infection chains and has continued to develop PebbleDash-based tooling, including HelloDoor, HttpMalice, MemLoad, and HttpTroy. Delivery methods mentioned for Kimsuky campaigns include droppers written in JSE, PIF, SCR, and EXE, as well as malicious attachments disguised as documents or installers.
High-confidence capabilities directly described for PebbleDash include use of FakeTLS for session authentication/network obfuscation and RC4-encrypted post-handshake communications; dynamic API resolution with obfuscated strings; and command execution functionality enabling download, upload, deletion, and execution of files, Windows CLI access, process creation and termination, and target system enumeration. The DHS/FBI/DoD analysis describes it as a full-featured beaconing implant for Microsoft Windows. In Kimsuky reporting, PebbleDash and AppleSeed are both characterized as backdoors that can persist on infected systems and receive attacker commands to perform malicious actions.
Directly mentioned indicators for the analyzed U.S. government sample include C2 112.217.108.138:443, MD5 d2de01858417fa3b580b3a95857847d5, SHA256 aab2868a6ebc6bdee5bd12104191db9fc1950b30bcf96eab99801624651e77b6, and RC4 key 79 E1 0A 5D 87 7D 9F F7 5D 12 2E 11 65 AC E3 25. The sample was reported as a 32-bit Windows PE executable compiled with Microsoft Visual C++ 6.0. Targeting associated with Kimsuky-linked PebbleDash activity includes primarily South Korean public and private sector organizations, with emphasis on defense-related targets, and additional observed activity against defense organizations in Brazil and Germany.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
5.3. Privilege Escalation …….. 5.3.1. UACMe …….. 5.3.2. CVE-2021-1675 Vulnerability
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as PEBBLEDASH... This report looks at a full-featured beaconing implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe Kimsuky group is mainly known for launching social engineering attacks such as spear phishing... Normally, malware strains assumed to be attachments of spear phishing attack emails are disguised as document files.
The email messages contain a link to a password-protected RAR archive that's hosted on the MEGA cloud service.
Execution
5 techniquesThey then utilize a PowerShell script to create a task scheduler and register it for automatic execution.
It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Should the victim click anywhere on the page, a PowerShell command embedded within the HTML is executed to reach out to an external server and download a next-stage PowerShell payload.
This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
When the LNK is run, it executes Base64-encoded PowerShell to drop a Javascript Encoded file called "Themes.jse" using a Visual Basic Script.
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
4 techniquesThe sample obfuscates strings used for API lookups using a custom XOR algorithm... The sample obfuscates its callback descriptors (IP address and ports) using a different custom XOR algorithm.
The sample performs dynamic dynamic link library (DLL) importing and application programming interface (API) lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions.
Normally, malware strains assumed to be attachments of spear phishing attack emails are disguised as document files. If a user runs the file, malware of this type runs the document that corresponds to the disguised file name and tricks the user into thinking that they have opened a normal file.
It has the capability to download, upload, delete, and execute files...
Credential Access
1 techniqueThe attacker can use backdoor to install another remote control malware such as Meterpreter and HVNC, or various other types of malware for privilege escalation and account credential theft.
Discovery
1 techniqueThis sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Command and Control
6 techniquesThe sample utilizes a “FakeTLS” scheme in an attempt to obfuscate its network communications. The sample and the command and control (C2) externally appear to perform a standard TLS authentication, however, most of the fields used are filled with random data from rand().
They are both backdoors used by the Kimsuky group that can stay in the system and perform malicious behaviors by receiving commands from the attacker... 3.3. C&C Communications Using Emails ... Ping Thread (SMTP) ... Command Thread (IMAP) ... 4.1.3. C&C Communications ... 4.2.3. C&C Communications
FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.
Through communication with a Dropbox and TCP socket-based C&C server, the group installs multiple malware and tools including PEBBLEDASH.
It has the capability to download, upload, delete, and execute files...
Once the FakeTLS handshake is complete, all further packets use a FakeTLS header, followed by RC4 encrypted data.
Exfiltration
1 techniqueThe findings also dovetail with spear-phishing campaigns orchestrated by Kimsuky to target government agencies in South Korea by delivering a stealer malware capable of establishing command-and-control (C2 or C&C) communications and exfiltrating files, web browser data, and cryptocurrency wallet information.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family for which Kimsuky is deploying variants in recent campaigns.
A malware family used by Kimsuky and delivered through multiple dropper formats. Its variants include HelloDoor and HttpMalice, and the cluster demonstrates advanced remote control capabilities.
PebbleDash is referenced as the malware/tool family underlying newly disclosed tools used by Kimsuky.
Trojan malware used in multi-stage spear-phishing campaigns, capable of persistence via task scheduler and C2 communication for further malware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.