AhnLab's Security Emergency Response Center (ASEC) documented in a report published on ASEC Blog the Kimsuky threat group's exploitation of Google Chrome Remote Desktop as a remote control mechanism in addition to its established toolkit of AppleSeed backdoor, Meterpreter, custom VNC, RDP Wrapper, and Ngrok — revealing an expanding remote access strategy designed to maintain persistent GUI-level control over infected South Korean systems through a mix of proprietary malware and legitimate commercial tools.
Initial Access: AppleSeed via WSF/JS Script Droppers
The campaign distributes malware through spear phishing emails with attachments disguised as legitimate Hangul or MS Office document files and CHM-format files. Script malware (WSF, JS) serves as the initial dropper stage, using PowerShell to decode and execute AppleSeed with a required execution argument: regsvr32.exe /s /n /i:123qweASDZXC C:\Windows\..\ProgramData\o5C2anK.efgL. The argument 123qweASDZXC passed via the /I flag is a required execution condition — AppleSeed will not execute without it, functioning as a rudimentary anti-analysis gate. Two AppleSeed instances were observed in this campaign, both communicating via HTTP, stored at %APPDATA%\Adobe\Service\AdobeService.dll and %APPDATA%\EastSoft\Control\Service\EastSoftUpdate.dll.
Post-Compromise: Multi-Browser Credential Theft
After AppleSeed establishes initial access, Kimsuky deploys an infostealer targeting saved credentials from three web browsers simultaneously — an evolution from earlier Chrome-only variants. Stolen credentials are stored to disk in separate database files: Google Chrome to C:\ProgramData\Adobe\ch.db, Microsoft Edge to ed.db, and Naver Whale (dominant in South Korea) to nw.db. The same malware has been used continuously since its first identification, rather than being replaced by updated variants — a pattern consistent with Kimsuky's practice of long-running tool reuse.
RDP Patcher: Enabling Covert Simultaneous RDP Access
Standard Windows environments permit only one concurrent RDP connection, meaning an attacker connecting via RDP would visibly log off the active user. Kimsuky's RDP Patcher malware circumvents this by memory-patching the Remote Desktop Service (termsrv.dll loaded within svchost.exe) to permit multiple simultaneous connections — an approach mirroring Mimikatz's ts::multirdp command but with added Windows XP support. The currently observed variant is x64-only with the PDB path E:\00.duty\03.source\01.pc\pc-engine\hope\x64\Release\hp_aux_multirdp.pdb, confirming active internal development.
Ngrok: Reaching Systems Behind NAT
Where infected systems sit behind NAT environments that would otherwise block direct RDP connections, Kimsuky uses Ngrok — a tunneling tool that exposes the internal system to external access — deployed via AppleSeed command under the name svchost.exe in the ProgramData folder. The combination of RDP Patcher (for invisible multi-user access) and Ngrok (for NAT traversal) gives Kimsuky reliable remote desktop access across diverse network topologies.
Chrome Remote Desktop: A New Legitimate-Tool Abuse Vector
The most significant new development in this campaign is the abuse of Google's Chrome Remote Desktop. The attack flow uses AppleSeed to deliver a PowerShell command that installs the Chrome Remote Desktop Host installer, followed by a batch script (23.bat) that completes host configuration. Once installed under the attacker's Google account, the compromised system appears online in the attacker's Chrome browser, accessible by entering the PIN configured during setup. This technique leverages Google's own authenticated infrastructure for remote control, making the traffic appear as legitimate Google service communication and significantly complicating network-level detection compared to custom VNC or RDP tunneling tools.