S0622: AppleSeed
Analyst context for executives and security teams
AppleSeed matters because ATT&CK describes it as a backdoor used by Kimsuky against government, academic, and commercial targets, with Windows and Android listed as platforms. The relationship set shows behavior beyond simple remote access: discovery, local and removable-media data collection, keylogging, screen capture, web-based command and control, fallback channels, staging, exfiltration over C2, and stealth through obfuscation, packing, masquerading, and file deletion.
Executive priority
Treat AppleSeed as a decision point for resilience and evidence readiness: can the organization prove it would see suspicious endpoint discovery, data collection, credential capture, and web-based C2/exfiltration on Windows and relevant Android assets? Leaders should prioritize telemetry retention, egress visibility, removable-media governance, endpoint hardening, and incident response procedures over relying on a named-malware signature, because ATT&CK provides no official detection guidance for this object.
Technical view
SOC and IR teams should validate coverage behaviorally against the related techniques: PowerShell and JavaScript execution, process/system/network/file discovery, local and removable-media collection, local staging, keylogging/screen capture indicators, web protocol C2, fallback communications, chunked or threshold-aware transfer patterns, and cleanup/masquerading behaviors. Detection engineering should separate normal administrative discovery and scripting from suspicious chains that combine discovery, collection, staging, and outbound web traffic from unusual processes or locations.
Likely telemetry
- Endpoint process creation, command line, parent-child process, and script execution logs, especially PowerShell and JavaScript/JScript activity on Windows
- File creation, modification, deletion, rename, staging-directory, and packed/obfuscated executable metadata
- Endpoint discovery signals: process listing, system information, network configuration, time, and file/directory enumeration
- Removable media connection and file access events where collected
- Network proxy, firewall, DNS, TLS, and web request metadata for outbound HTTP/S-like command-and-control patterns
Detection direction
- Do not depend only on AppleSeed-specific indicators; ATT&CK supplies no official detection text, so validate technique-level analytics and investigative pivots.
- Tune for behavior chains: discovery followed by local staging, collection from local or removable sources, then web-based outbound communication is higher value than any single command.
- Review false positives from administrators, inventory tools, backup agents, remote support software, and endpoint management platforms that legitimately perform discovery or scripting.
- Hunt for masquerading and legitimate-looking resource names or locations, especially when paired with unusual network destinations or file deletion after execution.
- Assess whether web egress monitoring can distinguish normal browser traffic from non-browser processes using web protocols, and whether fallback or alternate channels would be visible.
Mitigation priorities
- Prioritize endpoint visibility and hardening on Windows and managed Android assets in scope.
- Restrict and monitor script execution, especially PowerShell and JavaScript/JScript, using least privilege and approved administrative workflows.
- Control outbound web traffic with proxying, destination reputation/context, and logging sufficient for incident reconstruction.
- Limit removable media use and monitor permitted media for sensitive data access where business operations allow.
- Apply least privilege and data access controls to reduce the value of local collection and credential capture.
Analyst notes and limits
The supplied ATT&CK relationships make AppleSeed useful for building a defensive validation plan even though the malware object itself has no ATT&CK tactics listed and no official detection text. The strongest defensive value is mapping the related techniques into telemetry, control, and response evidence requirements.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, exploit paths, or guaranteed detection. Local asset inventory, logging configuration, mobile management coverage, and business process context are required to determine actual risk and coverage.
AppleSeed
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1036 | Masquerading | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1134 | Access Token Manipulation | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1119 | Automated Collection | AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.CitationKISA Operation Muzabi |
| Enterprise | T1567 | Exfiltration Over Web Service | AppleSeed has exfiltrated files using web services.CitationKISA Operation Muzabi |
| Enterprise | T1030 | Data Transfer Size Limits | AppleSeed has divided files if the size is 0x1000000 bytes or more.CitationKISA Operation Muzabi |
| Enterprise | T1106 | Native API | |
| Enterprise | T1560 | Archive Collected Data | AppleSeed has compressed collected data before exfiltration.CitationKISA Operation Muzabi |
| Enterprise | T1008 | Fallback Channels | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1025 | Data from Removable Media | |
| Enterprise | T1124 | System Time Discovery | |
| Enterprise | T1218.010 | Regsvr32 Sub-technique |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d9c650922faa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Kimsuky June 2021
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
Open source URL -
[2]
mitre-attack S0622Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.