Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

ThreatConnect Research Roundup: Kimsuky “AutoUpdate” Malware

June 19 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

  • Kimsuky “AutoUpdate” Malware
  • Mustang Panda PlugX
  • “deviceupdate” Domains
  • “msupdate” Domains
  • Zoom Phish
  • Tor2Mine
  • Emotet

Roundup Highlight: Kimsuky AutoUpdate Malware

Our highlight in this Roundup is Incident 20200616A: Suspected Kimsuky “AutoUpdate” Malware. ThreatConnect Research identified a malware sample suspected to be associated with Kimsuky (a DPRK-based group) due to behaviors similar to a sample reported on the ESTsecurity ALYac Blog.

The blog above describes recent activity related to a campaign first seen in December of 2019 dubbed Operation Blue Estimate. One of the files observed in this attack, C315DE8AC15B51163A3BC075063A58AA, was identified as a downloader in ESTsecurity’s analysis.

Based on the string deobfuscation routine and URL parameters observed in the file above, an additional file FF0DDDC847825F13001B08661B2C7D0D was identified by our team, along with the hard-coded C2 domain dept-dp.lab.hol[.]es.

ThreatConnect Research Team Intelligence:

Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20200610A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified possible Mustang Panda PlugX malware based on similarity to PlugX samples reported on the Lab52 blog.
  • 20200617A: Suspicious “deviceupdate” Domains Registered Through MonoVM ThreatConnect Research identified two domains that were registered through MonoVM on June 15 2020.
  • 20200511A: Suspicious “msupdate” Domains Registered Through Njalla ThreatConnect Research identified three “msupdate” themed domains that were registered at essentially the same time through Njalla on May 9 2020.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

  • Zoom Phish Zooming Through Inboxes Amid Pandemic (Source:
  • Tor2Mine is up to their old tricks — and adds a few new ones (Source:
  • Emotet C2 and RSA Key Update – 06/15/2020 17:00 (Source:
  • Threat Roundup for June 5 to June 12 (Source:
About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at