On February 8, 2024, the Medium account of S2W threat research and intelligence center Talon published a report concerning research that had been carried out throughout the last month. S2W identified a recent campaign deploying a novel backdoor - dubbed "Troll Stealer" - against South Korean governmental organizations. The events were attributed to North Korean state-sponsored actor, likely Kimsuky Group, based on commonality with the Kimsuky-attributed AlphaSeed backdoor.
The report offers no specifics on the intrusion method; the research was carried out based on malware samples uploaded onto Virus Total. The malware was reportedly disguised as security software including TrustPKI and REDBC NX_PRNMAN, and presented a valid certificate signed by D2innovation, a South Korean company whose certificate was likely stolen.
While the malware demonstrates extensive capabilities, including stealing browser data, authentication method for a variety of services including SSH, file sharing systems, and screen captures, the backdoor appears to have been used specifically to target and exfiltrate the Government Public Key Infrastructure (GPKI) folder on infected systems. This observation enables researchers to hypothesize Troll Stealer was used within an espionage campaign with the broader target to attack public administration and government organization, potentially with the objective to achieve a broader intrusion across various organization relying on GPKI.