S0622: AppleSeed
Analyst context for executives and security teams
AppleSeed matters because ATT&CK describes it as a backdoor used by Kimsuky against government, academic, and commercial targets, with Windows and Android listed as platforms. The relationship set shows behavior beyond simple remote access: discovery, local and removable-media data collection, keylogging, screen capture, web-based command and control, fallback channels, staging, exfiltration over C2, and stealth through obfuscation, packing, masquerading, and file deletion.
Executive priority
Treat AppleSeed as a decision point for resilience and evidence readiness: can the organization prove it would see suspicious endpoint discovery, data collection, credential capture, and web-based C2/exfiltration on Windows and relevant Android assets? Leaders should prioritize telemetry retention, egress visibility, removable-media governance, endpoint hardening, and incident response procedures over relying on a named-malware signature, because ATT&CK provides no official detection guidance for this object.
Technical view
SOC and IR teams should validate coverage behaviorally against the related techniques: PowerShell and JavaScript execution, process/system/network/file discovery, local and removable-media collection, local staging, keylogging/screen capture indicators, web protocol C2, fallback communications, chunked or threshold-aware transfer patterns, and cleanup/masquerading behaviors. Detection engineering should separate normal administrative discovery and scripting from suspicious chains that combine discovery, collection, staging, and outbound web traffic from unusual processes or locations.
Likely telemetry
- Endpoint process creation, command line, parent-child process, and script execution logs, especially PowerShell and JavaScript/JScript activity on Windows
- File creation, modification, deletion, rename, staging-directory, and packed/obfuscated executable metadata
- Endpoint discovery signals: process listing, system information, network configuration, time, and file/directory enumeration
- Removable media connection and file access events where collected
- Network proxy, firewall, DNS, TLS, and web request metadata for outbound HTTP/S-like command-and-control patterns
Detection direction
- Do not depend only on AppleSeed-specific indicators; ATT&CK supplies no official detection text, so validate technique-level analytics and investigative pivots.
- Tune for behavior chains: discovery followed by local staging, collection from local or removable sources, then web-based outbound communication is higher value than any single command.
- Review false positives from administrators, inventory tools, backup agents, remote support software, and endpoint management platforms that legitimately perform discovery or scripting.
- Hunt for masquerading and legitimate-looking resource names or locations, especially when paired with unusual network destinations or file deletion after execution.
- Assess whether web egress monitoring can distinguish normal browser traffic from non-browser processes using web protocols, and whether fallback or alternate channels would be visible.
Mitigation priorities
- Prioritize endpoint visibility and hardening on Windows and managed Android assets in scope.
- Restrict and monitor script execution, especially PowerShell and JavaScript/JScript, using least privilege and approved administrative workflows.
- Control outbound web traffic with proxying, destination reputation/context, and logging sufficient for incident reconstruction.
- Limit removable media use and monitor permitted media for sensitive data access where business operations allow.
- Apply least privilege and data access controls to reduce the value of local collection and credential capture.
Analyst notes and limits
The supplied ATT&CK relationships make AppleSeed useful for building a defensive validation plan even though the malware object itself has no ATT&CK tactics listed and no official detection text. The strongest defensive value is mapping the related techniques into telemetry, control, and response evidence requirements.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, exploit paths, or guaranteed detection. Local asset inventory, logging configuration, mobile management coverage, and business process context are required to determine actual risk and coverage.
AppleSeed
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.007 | JavaScript Sub-technique | AppleSeed has the ability to use JavaScript to execute PowerShell.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | AppleSeed has the ability to execute its payload via PowerShell.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | AppleSeed has used UPX packers for its payload DLL.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | AppleSeed can identify the IP of a targeted system.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1036 | Masquerading | AppleSeed can disguise JavaScript files as PDFs.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | AppleSeed has been distributed to victims through malicious e-mail attachments.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | AppleSeed can decode its payload prior to execution.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1057 | Process Discovery | AppleSeed can enumerate the current process on a compromised host.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1134 | Access Token Manipulation | AppleSeed can gain system level privilege by passing |
| Enterprise | T1056.001 | Keylogging Sub-technique | AppleSeed can use |
| Enterprise | T1005 | Data from Local System | AppleSeed can collect data on a compromised host.CitationMalwarebytes Kimsuky June 2021CitationKISA Operation Muzabi |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1082 | System Information Discovery | AppleSeed can identify the OS version of a targeted system.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1119 | Automated Collection | AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.CitationKISA Operation Muzabi |
| Enterprise | T1567 | Exfiltration Over Web Service | AppleSeed has exfiltrated files using web services.CitationKISA Operation Muzabi |
| Enterprise | T1030 | Data Transfer Size Limits | AppleSeed has divided files if the size is 0x1000000 bytes or more.CitationKISA Operation Muzabi |
| Enterprise | T1106 | Native API | AppleSeed has the ability to use multiple dynamically resolved API calls.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1560 | Archive Collected Data | AppleSeed has compressed collected data before exfiltration.CitationKISA Operation Muzabi |
| Enterprise | T1008 | Fallback Channels | AppleSeed can use a second channel for C2 when the primary channel is in upload mode.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | AppleSeed can exfiltrate files via the C2 channel.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1083 | File and Directory Discovery | AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | AppleSeed has the ability to communicate with C2 over HTTP.CitationMalwarebytes Kimsuky June 2021CitationKISA Operation Muzabi |
| Enterprise | T1070.004 | File Deletion Sub-technique | AppleSeed can delete files from a compromised host after they are exfiltrated.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1113 | Screen Capture | AppleSeed can take screenshots on a compromised host by calling a series of APIs.CitationMalwarebytes Kimsuky June 2021CitationKISA Operation Muzabi |
| Enterprise | T1204.002 | Malicious File Sub-technique | AppleSeed can achieve execution through users running malicious file attachments distributed via email.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | AppleSeed can stage files in a central location prior to exfiltration.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | AppleSeed can zip and encrypt data collected on a target system.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | AppleSeed has the ability to create the Registry key name |
| Enterprise | T1025 | Data from Removable Media | AppleSeed can find and collect data from removable media devices.CitationMalwarebytes Kimsuky June 2021CitationKISA Operation Muzabi |
| Enterprise | T1124 | System Time Discovery | AppleSeed can pull a timestamp from the victim's machine.CitationMalwarebytes Kimsuky June 2021 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | AppleSeed can call regsvr32.exe for execution.CitationMalwarebytes Kimsuky June 2021 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d9c650922faa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Kimsuky June 2021
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
Open source URL -
[2]
mitre-attack S0622Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.