Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

FPSpy (Backdoor) – Malware

March 2, 2025
Reading Time: 3 mins read
in Malware
FPSpy (Backdoor) – Malware

FPSpy

Type of Malware

Backdoor

Country of Origin

North Korea

Targeted Countries

South Korea
Japan
United States

Date of Initial Activity

2024

Associated Groups

APT43

Motivation

Data Theft
Espionage
Cyberwarfare

Type of Information Stolen

Login Credentials
System Information
Communication Data

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

FPSpy is a sophisticated malware variant linked to the North Korean APT group Sparkling Pisces, also known as Kimsuky. Initially discovered in 2024, FPSpy has gained attention for its stealthy nature and ability to evade detection, continuing the group’s history of employing highly advanced and evolving cyberattack techniques. This malware represents a notable shift in Sparkling Pisces’s toolkit, with FPSpy functioning as a multi-purpose backdoor that not only compromises systems but also exfiltrates valuable data. By leveraging new methods to infiltrate networks and collect intelligence, FPSpy expands the capabilities of Sparkling Pisces and adds to their growing arsenal of malware. At its core, FPSpy is a Dynamic Link Library (DLL) file that is dropped onto compromised systems and loaded by a custom loader. This DLL, called sys.dll, is designed to perform a variety of malicious functions, including data theft, surveillance, and facilitating further attacks. One of the key features of FPSpy is its ability to execute multiple stages of malicious activity, ranging from initial infiltration to sustained access and data exfiltration. This makes it a versatile tool for the group, allowing them to carry out extensive cyber espionage campaigns over long periods of time without detection. Its presence in multiple operations further solidifies FPSpy’s role in Sparkling Pisces’s ongoing cyberattack efforts.

Targets

Educational sercvices Public Administration Information Manufacturing

How they operate

The first step in FPSpy’s operation is its installation. The malware is typically dropped onto a system by an infected executable or loader, which places the sys.dll file in the C:\Users\user\AppData\Local\Microsoft\WPSOffice\ folder. This location is deliberately chosen to blend in with legitimate software, reducing the chances of detection. The loader then loads the sys.dll file into memory, where it becomes fully operational. The loader’s code is designed to bypass security measures by using techniques like timestomping, which alters the file creation timestamp to obscure the true origin of the malware, further complicating forensic efforts. Once loaded, FPSpy begins its core operations. One of its most notable features is its ability to communicate with a command and control (C2) server. The malware uses this connection to receive instructions and exfiltrate stolen data, often bypassing traditional network defenses. The C2 server for FPSpy is hard-coded into the malware, making it easy for the threat actors to maintain consistent communication with the infected machine. This persistent communication allows the attacker to control the compromised system remotely, enabling them to execute additional payloads or commands, thus enhancing the malware’s functionality. FPSpy’s operational capabilities go beyond simple backdoor access. The malware is equipped with a variety of features that facilitate its surveillance and exfiltration tasks. For instance, FPSpy can collect sensitive information from the compromised machine, such as keystrokes, screenshots, or other data that can be useful for the attacker. It stores this data in specific files, such as the Param.ini file, which is used to store configuration data about the infected device. This file is then exfiltrated to the C2 server, where it can be analyzed by the threat actors. One of the key characteristics that sets FPSpy apart from other malware is its modular design. The malware is capable of downloading and executing additional malicious modules from the C2 server, allowing it to adapt and evolve based on the attacker’s objectives. This modularity not only enhances the malware’s flexibility but also makes it harder to detect and mitigate, as each infected system may behave differently depending on the modules it has received. This ability to deploy new functionality on-demand is a hallmark of the ongoing evolution of Sparkling Pisces’s cyber espionage operations. In conclusion, FPSpy is a highly sophisticated malware tool that leverages advanced techniques for maintaining persistence, stealing data, and carrying out cyber espionage activities. Its ability to operate stealthily and adapt to the needs of the attacker makes it a significant threat. Organizations should remain vigilant against such threats by employing advanced security measures that can detect and block malicious behavior, even when the malware uses evasion techniques like timestomping and modular execution. The continued evolution of FPSpy highlights the growing sophistication of APT groups like Sparkling Pisces and underscores the need for robust defense mechanisms in today’s cybersecurity landscape.  
References
  • Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
Tags: APTAPT43BackdoorsCyberwarfareFPSpyJapankimsukyMalwareNorth KoreaPhishingSouth KoreaSparkling PiscesUnited StatesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial