Woodgnat, JINX-0164, and Kimsuky Campaigns: Mistic, AUDIOFIX, and KimJongRAT Analysis

Recent OTX pulse data indicates a surge in diverse threats targeting enterprise infrastructure, ranging from financially motivated Initial Access Brokers (IABs) to persistent nation-state APT groups. This briefing synthesizes intelligence on three distinct actors: Woodgnat, an IAB deploying the new Mistic backdoor; JINX-0164, a threat actor targeting cryptocurrency development pipelines with AUDIOFIX; and Kimsuky, the North Korean APT revitalizing KimJongRAT via GitHub abuse.

Collectively, these campaigns demonstrate a shift toward abusing legitimate developer platforms (GitHub, NPM) and collaboration tools (LinkedIn, Microsoft Teams lookalikes) to facilitate initial access, while utilizing sophisticated sideloading and custom RATs for persistence.

Threat Actor / Malware Profile

1. Woodgnat & Mistic Backdoor

Actor Type: Initial Access Broker (IAB) / Ransomware Affiliate.
Malware: Backdoor.Mistic, ModeloRAT, MintsLoader.
Objective: Establish persistence for handoff to ransomware operations (Qilin, Black Basta).
Distribution: Social engineering leading to malware delivery; employs DLL Sideloading to execute payloads.
Behavior: Mistic provides stealthy remote access. ModeloRAT is used for specific command and control (C2) operations. Woodgnat often pairs these with loaders like D3F@ck.

2. JINX-0164 & AUDIOFIX

Actor Type: Financially Motivated / Cybercrime.
Malware: AUDIOFIX (Python RAT/Infostealer), MINIRAT (Go Backdoor).
Objective: Intellectual Property theft and credential harvesting from cryptocurrency and technology sectors.
Distribution: Supply chain attacks via malicious NPM packages and LinkedIn social engineering (recruiting personas).
Behavior: Custom macOS malware designed to infiltrate development environments. It utilizes typosquatting domains (e.g., teamicrosoft.com) to harvest credentials.

3. Kimsuky & KimJongRAT

Actor Type: Nation-State APT (North Korea).
Malware: KimJongRAT, MeshAgent.
Objective: Espionage and data exfiltration, primarily targeting Japan.
Distribution: Phishing emails with shortened URLs redirecting to GitHub Releases hosting malicious ZIP files.
Behavior: Legacy RAT combined with MeshAgent for remote management. Leverages GitHub as a dead-drop resolver to evade network defenses.

IOC Analysis

The provided pulses yield a mix of infrastructure and file-based indicators:

Domains/Hostnames: A significant number of IOCs are typosquatting or伪装 legitimate services (e.g., login.teamicrosoft.com, live.ong, googleoba.servequake.com). SOC teams should prioritize these for DNS Sinkholing.
File Hashes (SHA256): Multiple unique hashes for loaders, RATs, and backdoors. These should be blocked in EDR solutions and scanned in historical SIEM data.
URLs: Direct download links to scripts (.sh) and GitHub releases. These indicate a web delivery mechanism that can be blocked by Secure Web Gateways (SWG).
Operationalization: Utilize threat intelligence platforms (TIP) to auto-push these IOCs to firewalls and EDR. Focus heavily on the *.top and suspicious .com domains associated with Woodgnat and the credential theft domains from JINX-0164.

Detection Engineering

Sigma Rules

YAML

title: Potential Woodgnat Mistic Backdoor Sideloading Activity
description: Detects suspicious DLL side-loading patterns often associated with Woodgnat Mistic backdoor execution involving legitimate Windows binaries loading unsigned DLLs from user profile directories.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667c71b07d04d90d24c28418
tags:
    - attack.defense_evasion
    - attack.t1574.001
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - '.dll'
    selection_path:
        CommandLine|contains:
            - '\AppData\Roaming\'
            - '\AppData\Local\'
    filter_legit:
        - Signed: 'true'
    condition: selection_img and selection_cli and selection_path and not filter_legit
falsepositives:
    - Legitimate software installation
level: high
---
title: Kimsuky KimJongRAT GitHub Delivery Mechanism
description: Detects potential KimJongRAT infection vectors involving the download of ZIP archives or scripts from GitHub.com initiated by command-line interpreters following a user interaction.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6678f5e8e03f565d7e38e426
tags:
    - attack.initial_access
    - attack.t1566.001
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\outlook.exe'
            - '\chrome.exe'
            - '\firefox.exe'
    selection_cli_tool:
        Image|endswith:
            - '\powershell.exe'
            - '\curl.exe'
            - '\bitsadmin.exe'
    selection_github:
        CommandLine|contains:
            - 'github.com'
            - 'api.github.com'
    selection_archive:
        CommandLine|contains:
            - '.zip'
            - '.7z'
    condition: selection_parent and selection_cli_tool and selection_github and selection_archive
falsepositives:
    - Legitimate developer workflows
level: medium
---
title: JINX-0164 Credential Harvesting Domain Connections
description: Detects network connections to domains known to be used by JINX-0164 for credential harvesting via fake Microsoft Teams or login portals.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667b537e09e93766dd614530
tags:
    - attack.credential_access
    - attack.t1059.001
    - detection.emerging_threats
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'teamicrosoft.com'
            - 'live.us.org'
            - 'driver-updater.net'
    condition: selection
falsepositives:
    - None
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for Woodgnat, JINX-0164, and Kimsuky IOCs
let IOCs = dynamic([
    "mail.authorized-logins.net", "mueleer.com", "grande-luna.top", "driver-updater.net",
    "login.teamicrosoft.com", "104.200.67.46", "lutkdd.corpsecs.com",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"
]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    // File Hashes
    DeviceProcessEvents
    | where SHA256 in (IOCs)
    | project Timestamp, DeviceName, FileName, SHA256, InitiatingProcessAccountName
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunter for Woodgnat, JINX-0164, and Kimsuky campaigns.
.DESCRIPTION
    Scans the file system for specific SHA256 hashes associated with Mistic, AUDIOFIX, and KimJongRAT.
#>

$TargetHashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic/Loader
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # AUDIOFIX/MINIRAT
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", # KimJongRAT
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"  # KimJongRAT
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "[+] Starting hunt for APT/IAB malware hashes..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..." -ForegroundColor Gray
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $Hash" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate (0-24h)

Block IOCs: Immediately block all listed domains and IPs on perimeter firewalls and proxies.
Scan for Malware: Run the provided PowerShell script or equivalent EDR query to locate the malicious file hashes on endpoints.
Isolate Victims: If infections are detected (e.g., Mistic or KimJongRAT), isolate affected hosts from the network to prevent lateral movement or C2 communication.

Short-term (24-48h)

Credential Audit: Given the credential-stealing nature of AUDIOFIX and Woodgnat, force a password reset for users who may have interacted with phishing emails or visited the malicious domains.
Threat Hunt: Expand the hunt to look for DLL sideloading behavior patterns in AppData directories and any recent PowerShell connections to GitHub.

Long-term (1 Week+)

Developer Hardening: Restrict the use of personal GitHub accounts and enforce strict review policies for NPM packages and CI/CD pipelines to mitigate JINX-0164 tactics.
Supply Chain Controls: Implement application allowlisting to prevent the execution of unsigned binaries in user profile directories.
Awareness Training: Update security awareness training to specifically cover LinkedIn recruiting scams and sophisticated typosquatting.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub