Back to Intelligence

Woodgnat, Kimsuky & GhostShell: Mistic Backdoor, KimJongRAT & UAV Supply Chain Attack — OTX Pulse Analysis

SA
Security Arsenal Team
June 26, 2026
6 min read

Recent OTX Pulse data reveals a convergence of high-threat activity from distinct adversarial groups: an Initial Access Broker (IAB) linked to major ransomware operations, a persistent North Korean APT group, and a new threat actor targeting the defense industrial base.

The Woodgnat IAB is actively deploying a new stealthy backdoor, Mistic, alongside ModeloRAT and loaders like GateKeeper and D3F@ck, likely facilitating ransomware deployments for affiliates of Qilin and Black Basta. Simultaneously, Kimsuky has evolved KimJongRAT, utilizing the LOTS framework and GitHub Releases to target entities in Japan. Separately, the newly tracked GhostShell group is conducting precision supply chain attacks against Ukraine's UAV sector, deploying Vidar stealer via malicious archives impersonating the manufacturer Besomar.

Threat Actor / Malware Profile

1. Woodgnat (IAB) & Mistic Backdoor

  • Distribution: Initial access is brokered via social engineering and sideloading techniques.
  • Payload: The Mistic backdoor is deployed to establish persistent footholds, often accompanied by ModeloRAT. The chain uses loaders such as MintsLoader and D3F@ck.
  • Behavior: Functions as a stealthy backdoor, likely providing remote access and credential harvesting to prepare for ransomware deployment (e.g., Qilin, 8Base).
  • C2: Communicates with infrastructure hosted on domains like mail.authorized-logins.net and update.update-fall.com.

2. Kimsuky (APT) & KimJongRAT

  • Distribution: Phishing emails containing shortened URLs redirecting to legitimate services like GitHub Releases hosting malicious ZIP files.
  • Payload: KimJongRAT combined with MeshAgent for remote control.
  • Behavior: Information stealing (infostealer) and remote access capabilities.
  • C2: Uses domains such as lutkdd.corpsecs.com and IPs like 104.200.67.46.

3. GhostShell & Vidar Stealer

  • Distribution: Malicious archives containing decoy documents impersonating Besomar, a Ukrainian UAV manufacturer.
  • Payload: Vidar stealer.
  • Behavior: Targeted theft of sensitive credentials and data from defense and procurement networks.
  • Targets: Specifically aimed at Ukraine's UAV supply chain.

IOC Analysis

The provided indicators span multiple categories requiring immediate defensive action:

  • Network Infrastructure (C2): Domains like grande-luna.top, oeannon.com, and googleoba.servequake.com should be blocked at the perimeter and DNS layer. The IP 104.200.67.46 is a known Kimsuky C2 node.
  • File Artifacts: Multiple SHA256, MD5, and SHA1 hashes are provided for the Mistic, KimJongRAT, and Vidar payloads. EDR solutions should be tuned to flag these specific hashes on execution.
  • Operationalization: SOC teams should load the domains and IPs into threat intelligence platforms (TIP) and push to firewalls/proxies. File hashes should be queried in SIEM logs for historical hits within the last 30 days.

Detection Engineering

YAML
---
title: Potential Woodgnat Mistic Backdoor Sideloading Activity
id: 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
description: Detects suspicious process execution patterns indicative of sideloading techniques associated with Woodgnat and the Mistic backdoor using common loaders like MintsLoader or D3F@ck.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/woodgnat-mistic/
tags:
    - attack.persistence
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
        CommandLine|contains:
            - '.dll'
            - 'Control_RunDLL'
    condition: selection
falsepositives:
    - Legitimate software installation
level: high
---
title: Kimsuky KimJongRAT GitHub Distribution Vector
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects processes downloading potentially malicious archives from GitHub, a technique recently observed by Kimsuky distributing KimJongRAT.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/kimsuky-kimjongrat/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains: 'github.com'
        DestinationPort: 443
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\edge.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate developer activity
level: medium
---
title: GhostShell Vidar Stealer C2 Communication
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
description: Detects network connections to domains associated with the GhostShell campaign and Vidar stealer infrastructure targeting the Ukraine UAV supply chain.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/ghostshell-vidar/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|contains:
            - 'besomar'
            - 'vidar'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for Woodgnat, Kimsuky, and GhostShell IOCs in Network Events
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "mail.authorized-logins.net", 
    "grande-luna.top", 
    "oeannon.com", 
    "thomphon.com", 
    "human-check.top", 
    "update.update-fall.com", 
    "lutkdd.corpsecs.com", 
    "pxqtkc.corpsecs.com", 
    "googleoba.servequake.com"
)
or RemoteIP == "104.200.67.46"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

// Hunt for Malicious File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script for Woodgnat, Kimsuky, and GhostShell
# Requires Administrator privileges

$IOC_Hashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012"
)

$IOC_Domains = @(
    "mail.authorized-logins.net",
    "grande-luna.top",
    "oeannon.com",
    "thomphon.com",
    "human-check.top",
    "update.update-fall.com",
    "lutkdd.corpsecs.com",
    "pxqtkc.corpsecs.com",
    "googleoba.servequake.com"
)

Write-Host "[*] Scanning for malicious file hashes..."
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $IOC_Hashes -contains (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash } | 
    Select-Object FullName, @{Name='SHA256';Expression={(Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash}}
}

Write-Host "[*] Checking DNS Cache for C2 domains..."
$DNS_Cache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Domain in $IOC_Domains) {
    $DNS_Cache | Where-Object { $_.Entry -like "*$Domain*" } | Select-Object Entry, Data, TimeToLive
}

Write-Host "[*] Checking for established connections to C2 IPs (104.200.67.46)..."
Get-NetTCPConnection -RemoteAddress "104.200.67.46" -ErrorAction SilentlyContinue | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

Response Priorities

Immediate (0-4 hours):

  • Block all listed IOCs (domains, IPs, and file hashes) on perimeter firewalls, proxies, and EDR policies.
  • Isolate any endpoints returning positive hits for the provided SHA256 hashes.
  • Block outbound access to github.com for generic non-development workstations if Kimsuky targeting is a concern.

24 Hours:

  • Conduct credential resets for accounts active on endpoints where Vidar or Mistic backdoor activity was detected (credential theft risk).
  • Review logs for evidence of the "Besomar" themed decoy documents in email gateways (targeting defense sector).
  • Hunt for persistent scheduled tasks or registry keys associated with "ModeloRAT" and "MintsLoader".

1 Week:

  • Implement application control to block unsigned DLLs often used in sideloading attacks (Woodgnat vector).
  • Enhance email filtering to block archives containing documents referencing UAV specifications or defense procurement.
  • Review supply chain access controls for third-party vendors in the defense sector.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptwoodgnatkimjongratvidar-stealerghostshellapt-campaigns

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action