Sparkling Pisces is a North Korean threat actor group recognized for its cyberespionage operations and spear-phishing campaigns. Unit 42 researchers recently identified two new malware variants linked to this group, named KLogEXE and FPSpy. These additions to the group’s toolkit illuminate Sparkling Pisces’s development and cyber abilities, allowing them to attack systems and gather intelligence effectively. The group’s early movements focused on targets within South Korea, including government agencies and think tanks, but has since expanded its operations globally. Known for its ability to evolve tactics, Sparkling Pisces has utilized multiple malware strains and infrastructure to avoid detection. This evolution has allowed the group to expand its influence and pose a more of a threat to a wider set of targets.
A Keylogger for Espionage
KLogEXE, one of the new malware samples discovered, is a keylogger capable of recording keystrokes, monitoring mouse clicks, and documenting active applications on infected machines. It functions by saving the recorded data into a local ‘.ini file’. When the file reaches a certain size, KLogEXE appends the current date to its name and sends the information over HTTP to the command and control (C2) server using a predefined URI. KLogEXE’s authors have designed the malware to blend into system processes and execute its functions discreetly. The origins of KLogEXE can be traced back to previous campaigns that used a PowerShell-based keylogger. The group distributed this PowerShell keylogger in a spear-phishing campaign that targeted South Korean users. In the case of KLogEXE, it appears to be an improvement of the original tool, this time written in C++, indicating an effort by Sparkling Pisces to strengthen their techniques and improve their operational security.
Data Collection Tool
FPSpy is a more capable piece of malware compared to KLogEXE, providing the attackers with an array of attacks, rather than just keylogging. These functionalities include collecting system information, executing arbitrary commands, and downloading encrypted modules. One of its features is its multithreaded design, enabling it to manage separate tasks such as downloading modules and exfiltrating data to the C2 server efficiently. The malware is written as a dynamic-link library (DLL) named sys.dll, which is loaded by a custom loader designed to embed and execute the malicious code within the system’s process space. FPSpy shows strong code and operational similarities to previously identified malware used by Sparkling Pisces, such as the KGHSpy backdoor. While it was first observed in 2024, its timestamp appears to have been altered (timestomped), possibly to obfuscate its origins and make it harder to attribute to the group accurately. This tactic is used by advanced persistent threat (APT) groups to avoid detection and delay response measures.
A Shared Codebase
Researchers found similarities between the coding patterns of KLogEXE and FPSpy from deeper inspection. They suggest that both malware samples were likely developed by the same author. They share a similar HTTP packet structure for data exfiltration, use the same techniques for dynamic API calls to complicate static detection, and store collected data in .ini files using similar formats. The C2 infrastructure is also used by both malware strains overlaps, indicating that Sparkling Pisces operates a network of systems to manage its cyber-operations. Sparkling Pisces’s infrastructure is changing regularly and has shown clear overlap between different strains of malware and campaigns. By tracking the IP addresses, domains, and registrant details, researchers have been able to put together these connections, coming to the conclusion that KLogEXE and FPSpy are part of the same operational framework.
The discovery of KLogEXE and FPSpy has revealed Sparkling Pisces’s cyber-arsenal and their growing adaptability. The group’s focus on developing new tools and improving existing ones suggests a long-term strategy to maintain an edge in cyber-espionage, with their targets located in South Korea, Japan, and other regions of interest. The use of keylogging, data collection, and execution of arbitrary commands as seen with KLogEXE and FPSpy show a wide threat area that requires proactive defense strategies.
Image credit: Africa Studio, Adobestock
