Black Banshee

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

Black Banshee, also known as Kimsuky, APT43, Emerald Sleet, Velvet Chollima, and TA406, is a threat actor group believed to be operating under the North Korean Reconnaissance General Bureau (RGB), the country's primary intelligence service. The group has been active since at least 2012, according to U.S. government estimates. Tracked by both the U.S. and South Korea governments, along with private-sector cybersecurity companies, Black Banshee is involved in large-scale social engineering campaigns, often using spoofed emails appearing to be from universities, think tanks, and journalists. The group has gained notoriety for its advanced persistent threat (APT) activities, which includes the use of unique tools and techniques. One such tool, dubbed "ReconShark," is characterized by unique execution instructions and server communication methods, further demonstrating the group's sophisticated cyber capabilities. This tool is used for reconnaissance, gathering valuable information that can be used in subsequent attacks. The Department of Treasury has officially designated Black Banshee as subordinate to the RGB, marking it as a significant threat to global cybersecurity. Their activities are part of a broader pattern of malicious cyber activity associated with North Korean operations. With their continued operation and evolving tactics, Black Banshee represents a persistent threat to institutions worldwide, necessitating ongoing vigilance and robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kimsuky	2	Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Velvet Chollima	1	Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige
Thallium	1	Thallium, also known as Kimsuky, Velvet Chollima, and APT43, is a North Korean state-sponsored threat actor or hacking group that has been active since 2012. Tracked by the Cybereason Nocturnus Team and other security researchers, this cyber espionage group is believed to operate on behalf of the No
Reconnaissance General Bureau Rgb	1	The Reconnaissance General Bureau (RGB) is a North Korean military intelligence agency identified as a threat actor responsible for various cyberattacks. RGB is associated with hacking groups known as the "Lazarus Group," "Bluenoroff," and "Andariel," which are recognized as agencies or controlled e
Apt43	1	APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
Reconnaissance General Bureau	1	The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad, including cyber activities. The RGB has been associated with several threat actors, including the BeagleBoyz, who have likely been active since at least 2014. Other groups lin

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Dprk

Apt

Korean

Reconnaissance

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Reconshark	Unspecified	1	ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Rgb	Unspecified	1	RGB, a threat actor with ties to North Korea, has been involved in a range of malicious cyber activities. The group was designated by the Office of Foreign Assets Control (OFAC) on January 2, 2015, under Executive Order 13687 for being a controlled entity of the North Korean government. In addition

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Black Banshee Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	2 months ago	Breach Roundup: Kimsuky Serves Linux Trojan
BankInfoSecurity	3 months ago	Breach Roundup: REvil Hacker Gets Nearly 14-Year Sentence
CERT-EU	8 months ago	US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group
CERT-EU	8 months ago	U.S. government sanctions prolific North Korean cyber espionage unit
CERT-EU	a year ago	Cyber security week in review: May 5, 2023
CERT-EU	a year ago	North Korea’s social engineering threat not going away