Pebble Dash was not Wright’s Idea (Part 2) It was Arthur Richards, Wright’s partner-developer from 1916-1917, who decided to cover the American System-Built Homes (ASBH) in Magnesite pebbles, not Frank Lloyd Wright. And where does one…

The #pebbledash on #franklloydwright’s #americansystembuilthomes was one of two types of #magnesite, purchased against Wright’s wishes, and shipped from far, far away. elizabethmurphyhouse.com/2026/01/09/p...

@hiddenbayrec.bsky.social @elainehowley.bsky.social
#pebbledash #shakinghand #vemberlain #eatgirls

Schizophonica track of the day, December 24th 2025
Pebbledash - O The Wind

It's good to listen :) xxx

youtu.be/EX6TOz_M9cA

#trackoftheday #Pebbledash

list of songs on yellow background

What songs jump out to YOU?
🚨All the great songs on the #NovaGuestlist: including a #Pebbledash review, #AnamoeDrive chats, + 1st plays for @affectiontorent.bsky.social & #TheScratch;☘️
📻Listen back now on www.nova.ie/radio-schedu... or 6pm Sundays on @radionova100.bsky.social! #Speirgorm

purple background 80's band photo of my bloody valentine

🚨On Tonight's FULL #NovaGuestlist:
💽Classic LPs #MyBloodyValentine & #Sinead;
📞 #AnamoeDrive Chats!
🎪 #Pebbledash Live Review;
🔥NEW #TheScratch & @affectiontorent.bsky.social;
☘️+ #CABL #Cliffords @murdercapital.bsky.social #TheRosecaps;
📻LIVE @radionova100.bsky.social NOW-what do YOU need to hear?

ALBUM OF WEEK è Cosplay di #sorry; tra le altre novità di oggi segnaliamo @portugaltheman.bsky.social #voyeur #insecuremen #mountaingoats @thedears.bsky.social #pebbledash #h.pruz #twen @thesaxophones.bsky.social #screensaver #olanmonk #ficklefriends #hydroplane #unflirt #thecindys #midlake....

Isn't It Always, by Pebbledash from the album To Cast The Sea In Concrete

🇺🇦 #NowPlaying on #BBC6Music's #NewMusicFix

Pebbledash:
🎵 Isn't It Always

#6music #Pebbledash
#newRelease - 🆕 album

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song/Cover on #Bandcamp:

ALBUM OF THE DAY: PEBBLEDASH – To Cast the Sea in Concrete
L’album permette all'ascoltatore di portare con sé tradizione e punk contemporaneamente; rimanendo fedeli alle radici del noise e dello shoegaze, perfettamente integrati dal folk irlandese, #pebbledash ancora una volta centrano il bersaglio.

What song jumps out to YOU?🥰
🚨All the great songs on the #NovaGuestlist, including a #GillaBand live review, & 1st plays for #Pebbledash, @saolsongs.bsky.social, & #InAthens!☘️
📻Listen back now on www.nova.ie/radio-schedu... or 6pm Sundays on @radionova100.bsky.social ! #speirgorm

O, The Wind, by Pebbledash from the album To Cast The Sea In Concrete

🇺🇦 #NowPlaying on #BBC6Music's #NewMusicFix

Pebbledash:
🎵 O The Wind

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song/Cover on #Bandcamp:

O, The Wind, by Pebbledash from the album To Cast The Sea In Concrete

🇺🇦 #NowPlaying on #BBC6Music's #ChrisHawkins

Pebbledash:
🎵 O, The Wind

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song/Cover on #Bandcamp:

🚨On the #NovaGuestlist ALL-IRISH HOUR:☘️🇮🇪
💎Classics by #MBVofficial #THEM #CathyDavey & #AnEmotionalFish;
🎤Emma reviews #GillaBand in @whelanslive;
🔥NEW @saolsongs.bsky.social #InAthens & #Pebbledash;
📻ALL Irish on @radionova100.bsky.social now! #Speirgorm

🚨On Tonight's NOISY #NovaGuestlist:

💽Classic LPs by @pjharvey.net & #SmashingPumpkins;
🎪 #GillaBand LIVE review;
🔥NEW @saolsongs.bsky.social #InAthens & #Pebbledash;
☘️+ @cmatbaby.bsky.social @themonthapril.bsky.social;
📻LIVE on @radionova100.bsky.social now- What do YOU need to hear? #Speirgorm

O The Wind Pebbledash · O The Wind · Song · 2025

🇺🇦 #NowPlaying on #BBC6Music's #ChrisHawkins

Pebbledash:
🎵 O, The Wind

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song on #Spotify:

Cell, by Pebbledash from the album To Cast The Sea In Concrete

🇺🇦 #NowPlaying on #BBC6Music's #AmyLamé

Pebbledash:
🎵 Cell

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song/Cover on #Bandcamp:

🎶🔥 LISTEN NOW!
PEBBLEDASH – ‘Cell’ 💿 out now on USWC Rocks Radio 🌍✨

👉 usweedchannel.com/radio

@ShaneDoull @MadicynMarinaro @ScottMigdol @RandolphC83065 @Jeannie420

#USWCRocks #NewMusic #Pebbledash #NowPlaying

#houseofGuinness music.youtube.com/watch?v=DnBH...

#Pebbledash -
Killer Lover / Carriag Aonair

GREAT FUCKIN TRACK bby 💯

Tiles & Moss Pebbledash · Tiles & Moss · Song · 2025

🇺🇦 #NowPlaying on #BBC6Music's #AmyLamé

Pebbledash:
🎵 Tiles and Moss

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song on #Spotify:

Tiles & Moss Pebbledash · Tiles & Moss · Song · 2025

🇺🇦 #NowPlaying on #BBC6Music's #NewMusicFix

Pebbledash:
🎵 Tiles and Moss

#6music #Pebbledash
#newRelease - 🆕 single

▶️ 🆕🪄 Automagic 📻 playlist: 👉 New releases played on #Radio6Music 👈

▶️ Song on #Spotify:

Cartography, by Pebbledash track by Pebbledash

🇺🇦 #NowPlaying on #BBC6Music's #ChrisHawkins

Pebbledash:
🎵 Cartography

#6music #Pebbledash

▶️ 🪄 Automagic 🔊 show 📻 playlist on Spotify

▶️ Song on #Bandcamp:

Cartography, by Pebbledash track by Pebbledash

🇺🇦 #NowPlaying on #BBC6Music's #ChrisHawkins

Pebbledash:
🎵 Cartography

#6music #Pebbledash

▶️ 🪄 Automagic 🔊 show 📻 playlist on Spotify

▶️ Song on #Bandcamp:

"Distribution of PebbleDash Malware in March 2025" published by Ahnlab. #Kimsuky, #PebbleDash, #DPRK, #CTI https://asec.ahnlab.com/en/87621/

"2025년 3월 PebbleDash 악성코드 유포 사례" published by Ahnlab. #Kimsuky, #PebbleDash, #DPRK, #CTI https://asec.ahnlab.com/ko/87613/

PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. At the time, it was known as the malware of the Lazarus group, but recently, there have been more cases of the PebbleDash malware being distributed by the Kimsuky group, who have been targeting individuals, rather than the Lazarus group. This report will cover the latest distribution process of the PebbleDash malware by the Kimsuky group, other malware and additional modules that have been identified alongside PebbleDash. As mentioned in multiple TI reports in the past, the Kimsuky threat group is known to use an open-source RDP Wrapper along with PebbleDash for remote control. However, there have been numerous recent cases where the threat actors directly patched termsrv.dll, which performs the role of terminal services. The figure below shows the attack process using the PebbleDash malware by the Kimsuky group. Figure 1. The latest PebbleDash attack process of the Kimsuky group # Attack Process ## 1. Gaining Initial Access, Maintaining Persistence, and Establishing Foothold In cases where PebbleDash is used, the threat actor’s attack process can be categorized into four main stages: initial access, persistence, establishing a foothold, and creating additional malware. First, the threat actor targets specific individuals with spear-phishing attacks to gain initial access. When a user opens the shortcut file attached to the spear-phishing email, the LNK file executes a JavaScript through the Cmdline. This JavaScript then executes PowerShell to perform tasks such as registering a task scheduler for system persistence, registering registry keys for auto-execution, and performing socket communications with Dropbox and the threat actor’s C&C server. This allows the threat actor to create backdoors, RDP tools, and other malware like PebbleDash. Figure 2. Initial infiltration process ## 2. Installing Additional Malware for Controlling Infected PCs When PowerShell is executed by the LNK malware, the threat actor sends additional malware and CMD commands to the infected PC through Dropbox and TCP socket communication. The threat actor uses PebbleDash and AsyncRAT to control the infected PC. The following have been identified: termsrv.dll patched for RDP connection authentication bypass, UAC bypass malware for privilege escalation, and ForceCopy utility for data exfiltration. ### 2.1. PebbleDash Since 2021, the PebbleDash malware has been continuously used by the Kimsuky group. There are slight differences in the execution methods between the past and current versions. For example, in 2021, the threat actors executed the bait document file and PebbleDash directly using a PIF file. In the recently identified cases, the threat actors directly created advconf2.dll using PowerShell, as shown in the image below. Figure 3. Log showing the creation of PebbleDash malware by PowerShell After advconf2.dll is created, cmd.exe and reg.exe are used to register and execute advconf2.dll as a service. The final executed PebbleDash feature is the same as the one introduced in the AhnLab SEcurity intelligence Center (ASEC) blog in the past. Figure 4. Registering the service-related registry key ### 2.2. UAC Bypass Malware The Kimsuky group has been using various privilege escalation tools, mainly UACMe. They are still using multiple privilege escalation tools in 2024, but one particular type is more prevalent than the others. The threat actor only utilized the “AppInfo ALPC” technique among the UAC bypass techniques supported by UACMe to create their malware. This technique takes advantage of the fact that if a handle for a debug object of a specific process can be obtained, it can be used to gain a handle that provides full access to the said process. Logs show that this privilege escalation tool was created and executed by PowerShell in the AhnLab Smart Defense (ASD) infrastructure. Figure 5. Creating and executing privilege escalation tool using PowerShell Figure 6. Code routine using the AppInfo ALPC technique for privilege escalation ### 2.3. Modified termsrv.dll The threat actor used PowerShell to add the modified termsrv.dll file to the infected PC. Upon comparison with the normal termsrv.dll, a specific function was found to be patched. According to the analysis, the function (CDefPolicy::Query) responsible for RDP license authentication was disabled. This means that any user accessing the system is allowed to establish an RDP connection. Figure 7. Comparison values of the malicious file before and after patching in BinDiff (sub_18002F300 function mismatch) Figure 8. Comparison of the normal and patched modules (CDefPolicy::Query function) To replace a legitimate system DLL in the Windows path with a modified DLL, the threat actor changed the registry key value related to the RDP service. * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters As a result, the RDP service loads the %SystemRoot%\System32\termsrv.dll file by default, so the path must be changed to the modified DLL to load the tampered DLL. In addition, the threat actor used takeown.exe to change the ownership of the termsrv.dll file in the existing system path to Administrators for DLL replacement. * takeown /F C:\Windows\System32\termsrv.dll /A # Response Guide ## 1. Double Extension The Kimsuky group distributes LNK malicious shortcut files disguised as normal documents by attaching a double extension to emails. For example, a file named “pdf.lnk” appears to be a PDF document, but it is actually a Windows shortcut (.lnk) file that can execute malicious scripts or programs. As such, regular users must prevent such suspicious files from being executed by verifying the actual file extension. **[How to Enable File Extensions Display]** Open File Explorer and select the “File name extensions” checkbox in the “View” tab of the top menu, or use Group Policy in Windows settings to force the display. ## 2. Handling of Modified termsrv.dll File The hash value must be calculated to check if the legitimate termsrv.dll file has been replaced with the malicious version. To perform this verification, run the following command in Command Prompt (Run as administrator) to calculate the hash value (MD5) of the modified file. * certutil -hashfile C:\Windows\System32\termsrv.dll MD5 The calculated hash value is compared to “641593eea5f235e27d7cff27d5b7ca2a” and “70d92e2b00ec6702e17e266b7742bbab”. If the values are the same, it means that the file has been tampered with and needs to be replaced with the normal termsrv.dll. Windows provides the sfc program to restore normal programs. Users can restore the patched termsrv.dll to a normal program by entering the following command after executing CMD with administrator privileges: * sfc /scannow ## 3. Hidden Administrator Account (“Root”) If there is a suspicious account named “Root” that was not created by the administrator, the account must be disabled or removed. Run the following command in the command prompt (Run as administrator) to check the account information. * net user Search for accounts with suspicious names such as “Root” and suspicious creation time and attributes, excluding standard administrator accounts. If a suspicious account is found, take actions such as removing the hidden attribute and deleting/deactivating the account. Open the registry editor and navigate to the following path. Then, delete the item corresponding to the account that has been hidden. * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList This prevents the account from being used by threat actors. * net user Root /delete # Conclusion While the Kimsuky group uses various types of malware, in the case of PebbleDash, they execute malware based on an LNK file by spear-phishing in the initial access stage to launch their attacks. They then utilize a PowerShell script to create a task scheduler and register it for automatic execution. Through communication with a Dropbox and TCP socket-based C&C server, the group installs multiple malware and tools including PebbleDash. Recently, the group has moved away from their previous method of using the open-source RDP Wrapper. Instead, they have begun directly modifying the system DLL (termsrv.dll) to disable RDP authentication. This demonstrates that the Kimsuky group is continuously evolving their attack techniques to suit their target environments. This blog post analyzed the latest distribution and execution process of the PebbleDash malware by the Kimsuky group. Considering that the group mainly targets individuals, individual users must be cautious of initial access techniques like spear-phishing and keep their security products up to date to prevent such attacks in advance. MD5 641593eea5f235e27d7cff27d5b7ca2a 70d92e2b00ec6702e17e266b7742bbab 876dbd9529f00d708a42f470a21a6f79 a5cca2b56124e8e9e0371b6f6293e729 a8976e7dc409525a77b0eef0d0c3c4f2 IP 159[.]100[.]13[.]216 213[.]145[.]86[.]223 216[.]219[.]87[.]41 64[.]20[.]59[.]148 Gain access to related IOCs and detailed analysis by subscribing to **AhnLab TIP**. For subscription details, click the banner below. #### Tags: AsyncRAT PebbleDash RDP Root SpearPhishing termsrv.dll UACBypass UACMe

Distribution of PebbleDash Malware in March 2025 PebbleDash is a backdoor malware that was previo...

https://asec.ahnlab.com/en/87621/

#APT #Malware #Public #AsyncRAT #PebbleDash #RDP #Root #SpearPhishing #termsrv.dll #UACBypass #UACMe

Result Details

Pebble Dash im Café Herzhäuschen - live am 12.04.2025 | vinyl-keks.eu Es spielen Pebbledash ihr Releasekonzert, feinsten Singer-Songwritersound,

…Und auf einmal hören sie sich womöglich mit singen „You can be what ever you want,…just don‘t be an asshole“. Das Publikum wird zum Chor und das bei einem unbekannten Song, das ist mal ein Qualitätsmarker.

vinyl-keks.eu/pebbledash-i...

#Bickendorf #CafeHerzhäuschen #Köln #Pebbledash #ReleaseDay

Alone and Forsaken, by Pebbledash from the album Four Portraits of the Same Ugly House

🇺🇦 #NowPlaying on #BBC6Music's #AmyLamé

Pebbledash:
🎵 Alone and Forsaken

#6music #Pebbledash

▶️ 🪄 Automagic 🔊 show 📻 playlist on Spotify

▶️ Song on #Bandcamp:

Badenoch: Giving away Chagos Islands not in UK's national interest The Conservative leader says she remains opposed to a deal, despite US President Donald Trump signalling support.

www.bbc.co.uk/news/article...

#Pebbledash

Alone and Forsaken, by Pebbledash from the album Four Portraits of the Same Ugly House

🔊 #NowPlaying on #BBC6Music's #NewMusicFix

Pebbledash:
🎵 Alone and Forsaken

#6music #Pebbledash

▶️ 🪄 Automagic 🔊 show 📻 playlist on Spotify

▶️ Song on #Bandcamp:

"北 해킹 조직, 거래처 업무 메일로 위장한 스피어 피싱 공격 주의!" published by ESTSecurity. #Kimsuky, #PebbleDash, #DPRK, #CTI https://blog.alyac.co.kr/5526

"Lazarus Backdoor with IT Lure" published by dmpdump. #Lazarus, #PebbleDash, #DPRK, #CTI dmpdump.github.io/posts/Lazarus-Backdoor-I...