Skip to content

Hide Navigation Hide TOC

DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3)

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: S2W_DocSwap_Mar2025)

Cluster A Galaxy A Cluster B Galaxy B Level
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Execution Guardrails - T1627 (498e7b81-238d-404c-aa5e-332904d63286) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
DocSwap - S9005 (3dbef387-12df-4547-9dd3-075c7ffec9e3) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 2
Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14) Attack Pattern Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2