S0527: CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[1]
Analyst context for executives and security teams
CSPY Downloader matters because MITRE describes it as a Windows downloader built to evade analysis and retrieve additional payloads. For leaders, the risk is not just the initial file execution; it is whether the organization can detect the follow-on chain: evasive malware, scheduled-task persistence, registry changes, web-based command-and-control, and additional tool transfer. MITRE links the tool to Kimsuky, so threat intelligence teams should treat it as a named software object relevant to espionage-oriented intrusion tracking, while still validating exposure against local telemetry rather than assuming coverage.
Executive priority
Prioritize this as a readiness and evidence question: can security teams prove they collect and retain the Windows endpoint, task scheduler, registry, file, and web traffic evidence needed to investigate a downloader that may try to blend in or remove traces? The business decision value is in confirming that managed detection, incident response, and audit evidence can connect a suspicious user-opened file to persistence, privilege escalation, network retrieval of payloads, and cleanup activity. Where sectors or geographies overlap with Kimsuky’s ATT&CK-described targeting history, this object can help prioritize threat-informed detection validation without implying current exposure.
Technical view
ATT&CK provides no official detection text for CSPY Downloader, so defenders should build coverage from the relationships. Validate Windows detections around user-executed malicious files, packed or analysis-evasive binaries, task or service names that masquerade as legitimate, scheduled task creation or modification, registry modification, UAC-bypass-like elevation patterns, file deletion after execution, and outbound HTTP/S or web-protocol activity followed by downloaded files. IR teams should preserve volatile and endpoint artifacts early because the related techniques include indicator removal and file deletion. Detection engineering should correlate endpoint execution with network egress and subsequent payload creation rather than relying on a single signature or filename.
Likely telemetry
- Windows endpoint process creation and parent-child process context
- File creation, deletion, rename, and hash metadata for downloaded or dropped files
- Windows scheduled task creation, modification, and execution events
- Windows service name/display name and task metadata for masquerading review
- Registry modification events and relevant command-line activity
Detection direction
- Start with correlation: suspicious file execution on Windows followed by scheduled task activity, registry changes, outbound web traffic, and new file writes is more useful than isolated alerts.
- Tune for masquerading by comparing task and service names, descriptions, paths, publishers, and execution locations against known-good baselines.
- Review visibility gaps caused by TLS inspection limits, short endpoint log retention, missing task scheduler telemetry, and file deletion before collection.
- Treat packed, signed, or analysis-evasive binaries as triage signals, not proof of maliciousness; reduce false positives by requiring behavioral context.
- Use the Kimsuky relationship for threat-intelligence enrichment and prioritization, but do not make attribution from this behavior alone.
Mitigation priorities
- Harden user-executed file paths with attachment handling, application control, and least privilege where feasible.
- Restrict and monitor creation or modification of scheduled tasks, services, and sensitive registry locations.
- Maintain endpoint controls and logging that survive or quickly capture evidence before file deletion or cleanup activity.
- Control outbound web access with proxy logging, egress filtering, and investigation-ready DNS/HTTP metadata retention.
- Validate incident response playbooks for downloader cases, including rapid endpoint isolation, artifact preservation, and scoping of secondary payload transfer.
Analyst notes and limits
This take is derived from ATT&CK S0527 and its supplied relationships. The strongest defensive value comes from chaining the related techniques: malicious file execution, evasion, persistence, registry modification, command-and-control over web protocols, ingress tool transfer, privilege escalation, and cleanup. Because CSPY Downloader is a tool object with no official detection section, local baselines and telemetry quality determine practical coverage.
MITRE does not provide official detection guidance, aliases, or explicit tactics for the tool object itself. The platform is listed as Windows for CSPY Downloader, while several related techniques apply to additional platforms; this take limits implementation emphasis to Windows where the tool platform supports it. No active exploitation, customer exposure, or guaranteed detection is implied.
CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | CSPY Downloader has the ability to self delete.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1112 | Modify Registry | CSPY Downloader can write to the Registry under the |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | CSPY Downloader can use the schtasks utility to bypass UAC.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | CSPY Downloader has come signed with revoked certificates.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | CSPY Downloader can download additional tools to a compromised host.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CSPY Downloader can use GET requests to download additional payloads from C2.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | CSPY Downloader has been delivered via malicious documents with embedded macros.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | CSPY Downloader has been packed with UPX.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1070 | Indicator Removal | CSPY Downloader has the ability to remove values it writes to the Registry.CitationCybereason Kimsuky November 2020 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b00c06c57d25… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Kimsuky November 2020
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
Open source URL -
[2]
mitre-attack S0527Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.