Apt43

Threat Actor updated 23 days ago (2024-11-29T14:19:24.333Z)
Download STIX
Preview STIX
APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and Emerald Sleet. APT43 has been implicated in a range of cyber-attacks, exploiting vulnerabilities alongside other threat groups such as Black Basta and Bl00dy. The group has even used the leaked LockBit ransomware encryptor in its attacks. The threat posed by APT43, particularly to the U.S. healthcare and public health sector, is significant. The U.S. Department of Health & Human Services' Healthcare Cybersecurity and Communications Integration Center (HHS HC3) has repeatedly expressed concerns about the risks associated with this group, along with other North Korean state-sponsored cybercrime groups like the Lazarus Group. APT43's tactics include social engineering, spear-phishing, credential harvesting, and spoofed personae. They are considered moderately sophisticated in their ability to execute these tactics. Sanctions have been imposed on APT43 by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) due to the group's intelligence gathering activities on behalf of the Democratic People’s Republic of Korea (DPRK). These sanctions were part of a broader effort to counter North Korea's deployment of a military reconnaissance satellite supporting its weapons of mass destruction program. Despite these measures, APT43 continues to evolve, deploying new malware strains such as KLogEXE and FPSpy, and expanding its cyber campaigns to target countries beyond the U.S., including Germany.
Description last updated: 2024-10-17T12:19:08.230Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Kimsuky is a possible alias for Apt43. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which
6
Thallium is a possible alias for Apt43. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi
4
Emerald Sleet is a possible alias for Apt43. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public
3
Lazarus Group is a possible alias for Apt43. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati
2
Reconnaissance General Bureau Rgb is a possible alias for Apt43. The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 1
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
Malware
Korean
Apt
State Sponso...
Mandiant
Phishing
Android
Vulnerability
Health
Healthcare
Reconnaissance
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rgb Threat Actor is associated with Apt43. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international enUnspecified
2
The APT37 Threat Actor is associated with Apt43. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and Unspecified
2
The Double Dragon Threat Actor is associated with Apt43. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by tUnspecified
2
The APT41 Threat Actor is associated with Apt43. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
2
The Wicked Panda Threat Actor is associated with Apt43. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity CoordinatiUnspecified
2
Source Document References
Information about the Apt43 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
3 months ago
BankInfoSecurity
3 months ago
Unit42
3 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
DARKReading
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago