🇰🇵

Larva-24005

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries

No target country recorded

Sectors Targeted

No targeted sector recorded

Details

Origin 🇰🇵 KP

Last Updated 09 Apr 2026

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 19 entries

Kimsuky Kaspersky

Velvet Chollima CrowdStrike

Thallium Microsoft

Black Banshee PWC

SharpTongue Volexity

ITG16 IBM

TA406 Proofpoint

TA427 Proofpoint

APT 43 Mandiant

ARCHIPELAGO Google

Emerald Sleet Microsoft

KTA082 Kroll

UAT-5394 Talos

Sparkling Pisces Palo Alto

Springtail Symantec

Larva-24005 AhnLab

Larva-25004 AhnLab

G0094 MITRE

G0086 MITRE

Observed Target Countries 7

Based on ETDA data — countries highlighted in red

Japan South Korea Thailand Ukraine USA Vietnam Europe

Description

(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.

Tools Used 33

AppleSeed BabyShark BITTERSWEET CSPY Downloader FlowerPower Gh0st RAT Gold Dragon Grease KGH_SPY KimJongRAT Kimsuky KPortScan MailPassView Mechanical Mimikatz MoonPeak MyDogs Network Password Recovery ProcDump PsExec ReconShark Remote Desktop PassView SHARPEXT SmallTiger SniffPass SWEETDROP TODDLERSHARK TRANSLATEXT Troll Stealer VENOMBITE WebBrowserPassView xRAT Living off the Land

Operations 69

2013 For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

2014 The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter. https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/

2018-03 Operation “Baby Coin” https://blog.alyac.co.kr/m/1963

2018-05 Operation “Stolen Pencil” ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018. https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

2018-10 Operation “Mystery Baby” https://blog.alyac.co.kr/m/1963

2018-11 The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

2019-01 Operation “Kabar Cobra” On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps. https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf

2019-04 Operation “Stealth Power” https://blog.alyac.co.kr/2234

2019-04 Operation “Smoke Screen” https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf

2019-07 Operation “Red Salt” https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf

2019-07 In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials. Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry. https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/

2020-02 We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020. https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/

2020-02 North Korea has tried to hack 11 officials of the UN Security Council https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/

2020-03 According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic. The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky. https://twitter.com/issuemakerslab/status/1233010155018604545

2020-12 We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. https://securelist.com/apt-trends-report-q1-2021/101967/

2020-12 Kimsuky APT continues to target South Korean government using AppleSeed backdoor https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

2021 Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf

2021-05 South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology. https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/

2021-05 North Korean hackers breached major hospital in Seoul to steal data https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/

2021-06 North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

2021-09 SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/

2022-01 On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. https://asec.ahnlab.com/en/31089/

2022 Early Kimsuky’s GoldDragon cluster and its C2 operations https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

2022-04 Operation “Covert Stalker” https://asec.ahnlab.com/en/58654/

2022-10 Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f

2023 Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

2023 From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

2023-02 Malware Disguised as Normal Documents https://asec.ahnlab.com/en/47585/

2023-03 CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) https://asec.ahnlab.com/en/49295/

2023-03 North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign https://therecord.media/north-korea-apt-kimsuky-attacks

2023-03 OneNote Malware Disguised as Compensation Form (Kimsuky) https://asec.ahnlab.com/en/50303/

2023-04 DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/

2023-05 Kimsuky Distributing CHM Malware Under Various Subjects https://asec.ahnlab.com/en/54678/

2023-05 Kimsuky Group Using Meterpreter to Attack Web Servers https://asec.ahnlab.com/en/53046/

2023-05 Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel https://asec.ahnlab.com/en/52970/

2023-05 Ongoing Campaign Using Tailored Reconnaissance Toolkit https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

2023-05 North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

2023-06 Malware Disguised as HWP Document File (Kimsuky) https://asec.ahnlab.com/en/54736/

2023-07 Kimsuky Threat Group Using Chrome Remote Desktop https://asec.ahnlab.com/en/55145/

2023-07 Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky) https://asec.ahnlab.com/en/55219/

2023-08 North Korean hackers target U.S.-South Korea military drills, police say https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/

2023-10 Kimsuky Threat Group Uses RDP to Control Infected Systems https://asec.ahnlab.com/en/57873/

2023-11 Kimsuky Targets South Korean Research Institutes with Fake Import Declaration https://asec.ahnlab.com/en/59387/

2023-11 SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) https://asec.ahnlab.com/en/66546/

2023-12 Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) https://asec.ahnlab.com/en/59590/

2024 Operation “DEEP#GOSU” Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

2024-01 Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

2024-01 TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group) https://asec.ahnlab.com/en/61934/

2024-01 North Korean hackers exploit VPN update flaw to install malware https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/

2024-03 TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark

2024-03 Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) https://asec.ahnlab.com/en/63396/

2024-03 Kimsuky deploys TRANSLATEXT to target South Korean academia https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

2024-03 Attack Activities by Kimsuky Targeting Japanese Organizations https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html

2024-05 North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html

2024-05 Springtail: New Linux Backdoor Added to Toolkit https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage

2024-06 Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky) https://asec.ahnlab.com/en/66720/

2024-06 MoonPeak malware from North Korean actors unveils new details on attacker infrastructure https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

2024-07 APT Group Kimsuky Targets University Researchers https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/

2024-09 North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/

2024-09 North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html

2024-09 How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations

2025-01 DPRK hackers dupe targets into typing PowerShell commands as admin https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/

2025-02 Persistent Threats from the Kimsuky Group Using RDP Wrapper https://asec.ahnlab.com/en/86098/

2025-02 Operation “DEEP#DRIVE” Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/

2025-02 Phishing Email Attacks by the Larva-24005 Group Targeting Japan https://asec.ahnlab.com/en/86535/

2025-02 TA406 Pivots to the Front https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

2025-03 Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

2025-05 Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate https://asec.ahnlab.com/en/88132/

2025-06 Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group) https://asec.ahnlab.com/en/88465/

Reports & References 15

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/ https://us-cert.cisa.gov/ncas/alerts/aa20-301a https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956 https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf https://asec.ahnlab.com/en/30532/ https://asec.ahnlab.com/en/60054/ https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf https://asec.ahnlab.com/wp-content/uploads/2023/03/Unique-characteristics-of-Kimsuky-groups-spear-phishing-emails.pdf https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/ https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/ https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/ https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF

ETDA Profile

Kimsuky, Velvet Chollima

Origin

North Korea

First Seen 2012

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0094/ https://attack.mitre.org/groups/G0086/

View on ETDA APT Groups ↗