🇰🇷

Stolen Pencil

APT Group Information theft and espionage 2 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 20

Countries highlighted in red

Belgium Canada Germany France United Kingdom India Japan Democratic People's Republic of Korea Republic of Korea Mexico Malaysia Netherlands Poland Russian Federation Singapore Slovakia Thailand United States Vietnam South Africa

Sectors Targeted

Religious, Grantmaking, Civic, Professional, and Similar Organizations 813 NAICS:31 31 Religious Organizations 8131 Health Care and Social Assistance 62 Grantmaking and Giving Services 8132 Computer Systems Design and Related Services 54151 Other Services (except Public Administration) 81 Educational Services 61 National Security and International Affairs 928 Computer Systems Design Services 541512 Data Processing, Hosting, and Related Services 518 Public Administration 92 Air Transportation 481 Educational Support Services 6117 Personal Care Services 8121 Professional, Scientific, and Technical Services 54 Hospitals 622 Chemical Manufacturing 325 Internet Publishing and Broadcasting and Web Search Portals 51913 Other Amusement and Recreation Industries 7139 National Security and International Affairs 9281 Data Processing, Hosting, and Related Services 51821 Offices of Physicians 6211 Space Research and Technology 927 Construction 23 Employment Placement Agencies and Executive Search Services 56131 Motion Picture and Video Production 51211 Business, Professional, Labor, Political, and Similar Organizations 8139 Administrative and Support Services 561 Finance and Insurance 52 Telecommunications 517 Software Publishers 5112 Arts, Entertainment, and Recreation 71 Research and Development in the Social Sciences and Humanities 54172 Utilities 22

Details

Origin 🇰🇷 KR

Last Updated 11 May 2024

MITRE ATT&CK 155

T1003 - OS Credential Dumping T1003.001 T1005 - Data from Local System T1007 T1012 T1016 T1021 T1021.001 - Remote Desktop Protocol T1027 - Obfuscated Files or Information T1027.001 T1027.002 T1027.010 T1027.012 T1027.016 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 T1036.005 - Match Legitimate Name or Location T1036.007 T1040 T1041 T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 T1055.012 - Process Hollowing T1056 - Input Capture T1056.001 - Keylogging T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 T1059.006 T1059.007 T1070 T1070.004 T1070.006 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.002 T1071.003 T1071.004 - DNS T1074 - Data Staged T1074.001 T1078 - Valid Accounts T1078.003 T1082 - System Information Discovery T1083 - File and Directory Discovery T1090.003 - Multi-hop Proxy T1098 T1098.007 T1102 T1102.001 T1102.002 T1105 - Ingress Tool Transfer T1106 - Native API T1111 T1112 - Modify Registry T1113 T1114 - Email Collection T1114.002 T1114.003 T1129 - Shared Modules T1132 - Data Encoding T1133 - External Remote Services T1136 T1136.001 T1140 - Deobfuscate/Decode Files or Information T1176 T1176.001 T1185 T1190 - Exploit Public-Facing Application T1204 - User Execution T1204.001 T1204.002 - Malicious File T1205 T1218 - Signed Binary Proxy Execution T1218.005 T1218.010 T1218.011 T1219 T1219.002 T1505 T1505.003 T1518 T1518.001 T1534 T1539 T1543 T1543.003 T1546 - Event Triggered Execution T1546.001 T1547 T1547.001 T1550 T1550.002 T1552 T1552.001 T1553 T1553.002 T1555 T1555.003 T1557 T1560 T1560.001 T1560.003 T1562 T1562.001 - Disable or Modify Tools T1562.004 T1564 T1564.002 T1564.003 T1566 - Phishing T1566.001 T1566.002 T1567 T1567.002 T1568 - Dynamic Resolution T1573 - Encrypted Channel T1583 T1583.001 T1583.003 - Virtual Private Server T1583.004 T1583.006 T1584 T1584.001 T1585 T1585.001 T1585.002 T1586 T1586.002 T1587 T1587.001 T1588 - Obtain Capabilities T1588.002 - Tool T1588.003 T1588.004 - Digital Certificates T1588.005 T1589 T1589.002 T1589.003 T1591 T1593 T1593.001 T1593.002 T1594 T1596 T1598 T1598.003 T1608 T1608.001 T1620 T1656 T1657 T1680

Related Zero-Days 2

CVE-2018-8453 CVE-2025-55182

Known Names 19 entries

Kimsuky Kaspersky

Velvet Chollima CrowdStrike

Thallium Microsoft

Black Banshee PWC

SharpTongue Volexity

ITG16 IBM

TA406 Proofpoint

TA427 Proofpoint

APT 43 Mandiant

ARCHIPELAGO Google

Emerald Sleet Microsoft

KTA082 Kroll

UAT-5394 Talos

Sparkling Pisces Palo Alto

Springtail Symantec

Larva-24005 AhnLab

Larva-25004 AhnLab

G0094 MITRE

G0086 MITRE

Observed Target Countries 7

Based on ETDA data — countries highlighted in red

Japan South Korea Thailand Ukraine USA Vietnam Europe

Description

(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.

Tools Used 33

AppleSeed BabyShark BITTERSWEET CSPY Downloader FlowerPower Gh0st RAT Gold Dragon Grease KGH_SPY KimJongRAT Kimsuky KPortScan MailPassView Mechanical Mimikatz MoonPeak MyDogs Network Password Recovery ProcDump PsExec ReconShark Remote Desktop PassView SHARPEXT SmallTiger SniffPass SWEETDROP TODDLERSHARK TRANSLATEXT Troll Stealer VENOMBITE WebBrowserPassView xRAT Living off the Land

Operations 69

2013 For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

2014 The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter. https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/

2018-03 Operation “Baby Coin” https://blog.alyac.co.kr/m/1963

2018-05 Operation “Stolen Pencil” ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018. https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

2018-10 Operation “Mystery Baby” https://blog.alyac.co.kr/m/1963

2018-11 The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

2019-01 Operation “Kabar Cobra” On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps. https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf

2019-04 Operation “Stealth Power” https://blog.alyac.co.kr/2234

2019-04 Operation “Smoke Screen” https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf

2019-07 Operation “Red Salt” https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf

2019-07 In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials. Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry. https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/

2020-02 We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020. https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/

2020-02 North Korea has tried to hack 11 officials of the UN Security Council https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/

2020-03 According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic. The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky. https://twitter.com/issuemakerslab/status/1233010155018604545

2020-12 We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. https://securelist.com/apt-trends-report-q1-2021/101967/

2020-12 Kimsuky APT continues to target South Korean government using AppleSeed backdoor https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

2021 Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf

2021-05 South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology. https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/

2021-05 North Korean hackers breached major hospital in Seoul to steal data https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/

2021-06 North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

2021-09 SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/

2022-01 On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. https://asec.ahnlab.com/en/31089/

2022 Early Kimsuky’s GoldDragon cluster and its C2 operations https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

2022-04 Operation “Covert Stalker” https://asec.ahnlab.com/en/58654/

2022-10 Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f

2023 Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

2023 From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

2023-02 Malware Disguised as Normal Documents https://asec.ahnlab.com/en/47585/

2023-03 CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) https://asec.ahnlab.com/en/49295/

2023-03 North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign https://therecord.media/north-korea-apt-kimsuky-attacks

2023-03 OneNote Malware Disguised as Compensation Form (Kimsuky) https://asec.ahnlab.com/en/50303/

2023-04 DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/

2023-05 Kimsuky Distributing CHM Malware Under Various Subjects https://asec.ahnlab.com/en/54678/

2023-05 Kimsuky Group Using Meterpreter to Attack Web Servers https://asec.ahnlab.com/en/53046/

2023-05 Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel https://asec.ahnlab.com/en/52970/

2023-05 Ongoing Campaign Using Tailored Reconnaissance Toolkit https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

2023-05 North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

2023-06 Malware Disguised as HWP Document File (Kimsuky) https://asec.ahnlab.com/en/54736/

2023-07 Kimsuky Threat Group Using Chrome Remote Desktop https://asec.ahnlab.com/en/55145/

2023-07 Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky) https://asec.ahnlab.com/en/55219/

2023-08 North Korean hackers target U.S.-South Korea military drills, police say https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/

2023-10 Kimsuky Threat Group Uses RDP to Control Infected Systems https://asec.ahnlab.com/en/57873/

2023-11 Kimsuky Targets South Korean Research Institutes with Fake Import Declaration https://asec.ahnlab.com/en/59387/

2023-11 SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) https://asec.ahnlab.com/en/66546/

2023-12 Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) https://asec.ahnlab.com/en/59590/

2024 Operation “DEEP#GOSU” Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

2024-01 Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

2024-01 TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group) https://asec.ahnlab.com/en/61934/

2024-01 North Korean hackers exploit VPN update flaw to install malware https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/

2024-03 TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark

2024-03 Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) https://asec.ahnlab.com/en/63396/

2024-03 Kimsuky deploys TRANSLATEXT to target South Korean academia https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

2024-03 Attack Activities by Kimsuky Targeting Japanese Organizations https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html

2024-05 North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html

2024-05 Springtail: New Linux Backdoor Added to Toolkit https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage

2024-06 Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky) https://asec.ahnlab.com/en/66720/

2024-06 MoonPeak malware from North Korean actors unveils new details on attacker infrastructure https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

2024-07 APT Group Kimsuky Targets University Researchers https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/

2024-09 North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/

2024-09 North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html

2024-09 How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations

2025-01 DPRK hackers dupe targets into typing PowerShell commands as admin https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/

2025-02 Persistent Threats from the Kimsuky Group Using RDP Wrapper https://asec.ahnlab.com/en/86098/

2025-02 Operation “DEEP#DRIVE” Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/

2025-02 Phishing Email Attacks by the Larva-24005 Group Targeting Japan https://asec.ahnlab.com/en/86535/

2025-02 TA406 Pivots to the Front https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

2025-03 Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

2025-05 Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate https://asec.ahnlab.com/en/88132/

2025-06 Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group) https://asec.ahnlab.com/en/88465/

Reports & References 15

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/ https://us-cert.cisa.gov/ncas/alerts/aa20-301a https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956 https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf https://asec.ahnlab.com/en/30532/ https://asec.ahnlab.com/en/60054/ https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf https://asec.ahnlab.com/wp-content/uploads/2023/03/Unique-characteristics-of-Kimsuky-groups-spear-phishing-emails.pdf https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/ https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/ https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/ https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF

ETDA Profile

Kimsuky, Velvet Chollima

Origin

North Korea

First Seen 2012

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0094/ https://attack.mitre.org/groups/G0086/

View on ETDA APT Groups ↗