🇰🇷

Kimsuky

APT Group Information theft and espionage 48 zero-day CVEs ETDA ✓

Also Known As 10 names

APT43 Black Banshee Emerald Sleet G0086 Operation Stolen Pencil Sparkling Pisces Springtail THALLIUM Thallium Velvet Chollima

Target Countries 16

Countries highlighted in red

Canada Germany France United Kingdom India Japan Republic of Korea Malaysia Russian Federation Singapore Slovakia Thailand Ukraine United States Vietnam South Africa

Sectors Targeted

Business, Professional, Labor, Political, and Similar Organizations 8139 Offices of Physicians 6211 Manufacturing Finance and Insurance 52 Ministry of Unification, Sejong Institute and Korea Institute for Defense Analyses Think Tanks Data Processing, Hosting, and Related Services 51821 Healthcare Internet Publishing and Broadcasting and Web Search Portals 51913 Grantmaking and Giving Services 8132 Employment Placement Agencies and Executive Search Services 56131 Computer Systems Design Services 541512 Personal Care Services 8121 Educational Support Services 6117 Religious Organizations 8131 Education Energy Defense Hospitals 622 Construction 23 Other Amusement and Recreation Industries 7139 Air Transportation 481 National Security and International Affairs 9281 Computer Systems Design and Related Services 54151 Research and Development in the Social Sciences and Humanities 54172 Motion Picture and Video Production 51211 Government

Details

Origin 🇰🇷 KR

Last Updated 14 May 2024

Malware Families 10

dilljuice

troll_stealer

grease

zhmimikatz

mechanical

flowerpower

mydogs

gold_dragon

yorekey

alphaseed

MITRE ATT&CK 285

T1001 - Data Obfuscation T1002 T1003 - OS Credential Dumping T1003.001 T1005 - Data from Local System T1007 T1008 - Fallback Channels T1010 - Application Window Discovery T1011 - Exfiltration Over Other Network Medium T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1020 - Automated Exfiltration T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1022 T1025 - Data from Removable Media T1027 - Obfuscated Files or Information T1027.001 T1027.002 - Software Packing T1027.007 T1027.010 T1027.012 T1027.013 T1027.015 T1027.016 T1030 - Data Transfer Size Limits T1031 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.002 - Right-to-Left Override T1036.003 - Rename System Utilities T1036.004 T1036.005 - Match Legitimate Name or Location T1036.007 T1037 T1040 T1041 - Exfiltration Over C2 Channel T1045 T1046 T1047 T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1055.012 - Process Hollowing T1056 - Input Capture T1056.001 - Keylogging T1056.003 - Web Portal Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1060 T1063 T1064 T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1070 - Indicator Removal on Host T1070.004 - File Deletion T1070.006 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.002 T1071.003 T1071.004 - DNS T1072 - Software Deployment Tools T1074 - Data Staged T1074.001 - Local Data Staging T1078 - Valid Accounts T1078.003 - Local Accounts T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1087.001 T1090 - Proxy T1090.003 - Multi-hop Proxy T1094 T1095 - Non-Application Layer Protocol T1098 T1098.007 T1102 - Web Service T1102.001 - Dead Drop Resolver T1102.002 T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1107 T1110 T1111 T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.002 T1114.003 T1115 - Clipboard Data T1119 T1123 - Audio Capture T1124 - System Time Discovery T1125 - Video Capture T1127 T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1132.002 T1133 - External Remote Services T1134 - Access Token Manipulation T1135 - Network Share Discovery T1136 T1136.001 T1137 T1137.001 T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1176.001 T1185 T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 T1194 - Spearphishing via Service T1195 - Supply Chain Compromise T1199 - Trusted Relationship T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 T1204.002 - Malicious File T1204.004 T1205 T1213 T1217 - Browser Bookmark Discovery T1218 - Signed Binary Proxy Execution T1218.005 T1218.010 T1218.011 - Rundll32 T1219 - Remote Access Software T1219.002 T1221 T1404 - Exploit OS Vulnerability T1412 - Capture SMS Messages T1414 T1418 T1420 T1429 - Capture Audio T1432 - Access Contact List T1437 T1442 - Fake Developer Accounts T1449 T1454 T1480 T1480.002 T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery T1495 T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1503 - Credentials from Web Browsers T1505 - Server Software Component T1505.003 T1512 - Capture Camera T1514 - Elevated Execution with Prompt T1518 - Software Discovery T1518.001 - Security Software Discovery T1529 T1530 - Data from Cloud Storage Object T1531 - Account Access Removal T1534 T1539 - Steal Web Session Cookie T1541 T1543 - Create or Modify System Process T1543.003 - Windows Service T1543.004 T1546 - Event Triggered Execution T1546.001 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1548 T1550 T1550.002 - Pass the Hash T1552 - Unsecured Credentials T1552.001 T1552.004 T1553 - Subvert Trust Controls T1553.002 T1555 - Credentials from Password Stores T1555.003 - Credentials from Web Browsers T1556 T1557 - Man-in-the-Middle T1559 - Inter-Process Communication T1559.001 T1560 - Archive Collected Data T1560.001 T1560.003 T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.004 T1563 T1564 - Hide Artifacts T1564.002 T1564.003 T1564.011 T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1567 - Exfiltration Over Web Service T1567.001 - Exfiltration to Code Repository T1567.002 - Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1569 - System Services T1570 - Lateral Tool Transfer T1571 - Non-Standard Port T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1574 - Hijack Execution Flow T1574.001 T1574.002 T1582 T1583 - Acquire Infrastructure T1583.001 - Domains T1583.003 - Virtual Private Server T1583.004 - Server T1583.005 T1583.006 T1584 - Compromise Infrastructure T1584.001 T1584.004 - Server T1585 - Establish Accounts T1585.001 - Social Media Accounts T1585.002 T1586 - Compromise Accounts T1586.002 T1587 T1587.001 T1587.003 - Digital Certificates T1588 - Obtain Capabilities T1588.002 - Tool T1588.003 - Code Signing Certificates T1588.004 - Digital Certificates T1588.005 T1589 - Gather Victim Identity Information T1589.001 - Credentials T1589.002 T1589.003 - Employee Names T1590 - Gather Victim Network Information T1590.004 T1591 T1592 - Gather Victim Host Information T1593 T1593.001 T1593.002 T1594 T1596 T1598 - Phishing for Information T1598.003 - Spearphishing Link T1602 - Data from Configuration Repository T1606 - Forge Web Credentials T1608 - Stage Capabilities T1608.001 T1614 T1620 T1656 T1657 T1678 T1680 T1682 T1684 T1684.001 T1685 T1686 TA0003 TA0004 TA0005 TA0006 TA0007 TA0009 TA0011 TA0034 TA0040

Related Zero-Days 48

CVE-2017-0199 CVE-2018-8453 CVE-2019-0708 CVE-2021-1675 CVE-2021-34527 CVE-2021-40444 CVE-2021-42292 CVE-2021-44228 CVE-2022-0609 CVE-2022-30190 CVE-2022-3236 CVE-2023-20109 CVE-2023-20198 CVE-2023-22515 CVE-2023-32434 CVE-2023-32435 CVE-2023-36884 CVE-2023-38606 CVE-2023-38831 CVE-2023-41990 CVE-2023-46604 CVE-2023-46805 CVE-2023-4966 CVE-2024-21412 CVE-2024-21887 CVE-2024-23222 CVE-2024-3400 CVE-2024-38112 CVE-2024-38193 CVE-2024-38657 CVE-2024-4040 CVE-2024-43093 CVE-2024-43461 CVE-2024-47575 CVE-2024-49039 CVE-2024-4947 CVE-2024-9680 CVE-2025-0282 CVE-2025-0283 CVE-2025-1316 CVE-2025-21391 CVE-2025-21418 CVE-2025-22457 CVE-2025-24200 CVE-2025-27363 CVE-2025-43200 CVE-2025-55182 CVE-2025-9491

Known Names 19 entries

Kimsuky Kaspersky

Velvet Chollima CrowdStrike

Thallium Microsoft

Black Banshee PWC

SharpTongue Volexity

ITG16 IBM

TA406 Proofpoint

TA427 Proofpoint

APT 43 Mandiant

ARCHIPELAGO Google

Emerald Sleet Microsoft

KTA082 Kroll

UAT-5394 Talos

Sparkling Pisces Palo Alto

Springtail Symantec

Larva-24005 AhnLab

Larva-25004 AhnLab

G0094 MITRE

G0086 MITRE

Observed Target Countries 7

Based on ETDA data — countries highlighted in red

Japan South Korea Thailand Ukraine USA Vietnam Europe

Description

(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.

Tools Used 33

AppleSeed BabyShark BITTERSWEET CSPY Downloader FlowerPower Gh0st RAT Gold Dragon Grease KGH_SPY KimJongRAT Kimsuky KPortScan MailPassView Mechanical Mimikatz MoonPeak MyDogs Network Password Recovery ProcDump PsExec ReconShark Remote Desktop PassView SHARPEXT SmallTiger SniffPass SWEETDROP TODDLERSHARK TRANSLATEXT Troll Stealer VENOMBITE WebBrowserPassView xRAT Living off the Land

Operations 69

2013 For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

2014 The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter. https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/

2018-03 Operation “Baby Coin” https://blog.alyac.co.kr/m/1963

2018-05 Operation “Stolen Pencil” ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018. https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

2018-10 Operation “Mystery Baby” https://blog.alyac.co.kr/m/1963

2018-11 The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

2019-01 Operation “Kabar Cobra” On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps. https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf

2019-04 Operation “Stealth Power” https://blog.alyac.co.kr/2234

2019-04 Operation “Smoke Screen” https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf

2019-07 Operation “Red Salt” https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf

2019-07 In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials. Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry. https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/

2020-02 We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020. https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/

2020-02 North Korea has tried to hack 11 officials of the UN Security Council https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/

2020-03 According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic. The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky. https://twitter.com/issuemakerslab/status/1233010155018604545

2020-12 We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. https://securelist.com/apt-trends-report-q1-2021/101967/

2020-12 Kimsuky APT continues to target South Korean government using AppleSeed backdoor https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

2021 Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf

2021-05 South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology. https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/

2021-05 North Korean hackers breached major hospital in Seoul to steal data https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/

2021-06 North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

2021-09 SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/

2022-01 On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. https://asec.ahnlab.com/en/31089/

2022 Early Kimsuky’s GoldDragon cluster and its C2 operations https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

2022-04 Operation “Covert Stalker” https://asec.ahnlab.com/en/58654/

2022-10 Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f

2023 Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

2023 From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

2023-02 Malware Disguised as Normal Documents https://asec.ahnlab.com/en/47585/

2023-03 CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) https://asec.ahnlab.com/en/49295/

2023-03 North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign https://therecord.media/north-korea-apt-kimsuky-attacks

2023-03 OneNote Malware Disguised as Compensation Form (Kimsuky) https://asec.ahnlab.com/en/50303/

2023-04 DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/

2023-05 Kimsuky Distributing CHM Malware Under Various Subjects https://asec.ahnlab.com/en/54678/

2023-05 Kimsuky Group Using Meterpreter to Attack Web Servers https://asec.ahnlab.com/en/53046/

2023-05 Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel https://asec.ahnlab.com/en/52970/

2023-05 Ongoing Campaign Using Tailored Reconnaissance Toolkit https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

2023-05 North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

2023-06 Malware Disguised as HWP Document File (Kimsuky) https://asec.ahnlab.com/en/54736/

2023-07 Kimsuky Threat Group Using Chrome Remote Desktop https://asec.ahnlab.com/en/55145/

2023-07 Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky) https://asec.ahnlab.com/en/55219/

2023-08 North Korean hackers target U.S.-South Korea military drills, police say https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/

2023-10 Kimsuky Threat Group Uses RDP to Control Infected Systems https://asec.ahnlab.com/en/57873/

2023-11 Kimsuky Targets South Korean Research Institutes with Fake Import Declaration https://asec.ahnlab.com/en/59387/

2023-11 SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) https://asec.ahnlab.com/en/66546/

2023-12 Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) https://asec.ahnlab.com/en/59590/

2024 Operation “DEEP#GOSU” Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

2024-01 Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

2024-01 TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group) https://asec.ahnlab.com/en/61934/

2024-01 North Korean hackers exploit VPN update flaw to install malware https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/

2024-03 TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark

2024-03 Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) https://asec.ahnlab.com/en/63396/

2024-03 Kimsuky deploys TRANSLATEXT to target South Korean academia https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

2024-03 Attack Activities by Kimsuky Targeting Japanese Organizations https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html

2024-05 North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html

2024-05 Springtail: New Linux Backdoor Added to Toolkit https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage

2024-06 Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky) https://asec.ahnlab.com/en/66720/

2024-06 MoonPeak malware from North Korean actors unveils new details on attacker infrastructure https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

2024-07 APT Group Kimsuky Targets University Researchers https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/

2024-09 North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/

2024-09 North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html

2024-09 How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations

2025-01 DPRK hackers dupe targets into typing PowerShell commands as admin https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/

2025-02 Persistent Threats from the Kimsuky Group Using RDP Wrapper https://asec.ahnlab.com/en/86098/

2025-02 Operation “DEEP#DRIVE” Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/

2025-02 Phishing Email Attacks by the Larva-24005 Group Targeting Japan https://asec.ahnlab.com/en/86535/

2025-02 TA406 Pivots to the Front https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

2025-03 Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

2025-05 Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate https://asec.ahnlab.com/en/88132/

2025-06 Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group) https://asec.ahnlab.com/en/88465/

Reports & References 15

https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/ https://us-cert.cisa.gov/ncas/alerts/aa20-301a https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956 https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf https://asec.ahnlab.com/en/30532/ https://asec.ahnlab.com/en/60054/ https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf https://asec.ahnlab.com/wp-content/uploads/2023/03/Unique-characteristics-of-Kimsuky-groups-spear-phishing-emails.pdf https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/ https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/ https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/ https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF

ETDA Profile

Kimsuky, Velvet Chollima

Origin

North Korea

First Seen 2012

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0094/ https://attack.mitre.org/groups/G0086/

View on ETDA APT Groups ↗