Kimsuky

Threat Actor updated 16 days ago (2024-10-15T10:02:46.605Z)
Download STIX
Preview STIX
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targets, employing sophisticated methods of attack such as Trojanized software installation packages and backdoors. In recent years, the group has evolved its tactics, techniques, and procedures (TTPs), with Symantec researchers observing the use of a new Linux backdoor, Gomir, in May 2024. In December 2023, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Kimsuky due to its malicious cyber activities. Despite these measures, the group continues to pose a significant threat to cybersecurity worldwide. Recently, Kimsuky was found to be conducting a broader cyber campaign targeting Germany, as confirmed by Germany’s Federal Office for Information Security (BSI). The group has been exploiting popular communication platforms like Messenger to target victims, demonstrating their adaptability and persistent threat. One notable incident involved a successful breach of Diehl Defence, a German defense firm specializing in advanced military systems. As reported by Der Spiegel, Kimsuky executed a sophisticated phishing campaign where they deceived Diehl employees with fake job offers from U.S. arms suppliers. Upon clicking a malicious PDF, victims unknowingly downloaded malware that allowed the hackers to spy on their systems. This incident underscores the continued threat posed by Kimsuky and the need for robust cybersecurity measures across all sectors.
Description last updated: 2024-10-15T09:19:47.685Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Thallium is a possible alias for Kimsuky. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi
7
Velvet Chollima is a possible alias for Kimsuky. Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige
6
Apt43 is a possible alias for Kimsuky. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA
6
APT37 is a possible alias for Kimsuky. APT37, also known as RedEyes, TA-RedAnt, Reaper, ScarCruft, and Group123, is a threat actor suspected to be linked with North Korea. This group has been active since at least 2012 and targets various industry verticals primarily in South Korea, but also in Japan, Vietnam, and the Middle East. These
4
Lazarus Group is a possible alias for Kimsuky. The Lazarus Group, a notorious threat actor linked to North Korea, is among the most prolific and dangerous cyber threat actors in operation. They have been involved in numerous cyber-attacks worldwide, with significant efforts put into their social engineering strategies. Their activities include e
3
KONNI is a possible alias for Kimsuky. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba
3
Emerald Sleet is a possible alias for Kimsuky. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public
2
STOLEN PENCIL is a possible alias for Kimsuky. The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved
2
Reconnaissance General Bureau Rgb is a possible alias for Kimsuky. The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 1
2
Reconnaissance General Bureau is a possible alias for Kimsuky. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl
2
Sparkling Pisces is a possible alias for Kimsuky. Sparkling Pisces, also known as Kimsuky, APT43, Emerald Sleet, and THALLIUM, is a North Korean Advanced Persistent Threat (APT) group notorious for its intelligence collection efforts and use of cybercrime to fund espionage. Discovered by Unit 42 researchers, this group has been linked to multiple m
2
Black Banshee is a possible alias for Kimsuky. Black Banshee, also known as Kimsuky, APT43, Emerald Sleet, Velvet Chollima, and TA406, is a threat actor group believed to be operating under the North Korean Reconnaissance General Bureau (RGB), the country's primary intelligence service. The group has been active since at least 2012, according to
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Korean
Phishing
Cybercrime
Exploit
Reconnaissance
State Sponso...
Police
Backdoor
Chrome
Ransomware
Linux
Spearphishing
Espionage
Windows
Spyware
Exploits
Payload
Trojan
Tool
Sentinelone
Source
Dprk
Rat
Domains
Android
Microsoft
Screenconnect
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The BabyShark Malware is associated with Kimsuky. BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used pUnspecified
5
The Reconshark Malware is associated with Kimsuky. ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is Unspecified
5
The Lockbit Malware is associated with Kimsuky. LockBit is a type of malware, specifically a ransomware, that infiltrates systems to exploit and damage them. It's known for its disruptive activities such as stealing personal information or holding data hostage for ransom. The LockBit ransomware gang has claimed responsibility for several high-proUnspecified
2
The Black Basta Malware is associated with Kimsuky. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Toddleshark Malware is associated with Kimsuky. ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think tUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Andariel Threat Actor is associated with Kimsuky. Andariel, also known as Jumpy Pisces and PLUTONIUM, is a notorious threat actor associated with the North Korean government. Historically involved in cyberespionage, financial crime, and ransomware attacks, this group has been active since at least 2014 when it made headlines with an attack on Sony Unspecified
5
The Rgb Threat Actor is associated with Kimsuky. RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly PUnspecified
2
The ScarCruft Threat Actor is associated with Kimsuky. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "IntUnspecified
2
Source Document References
Information about the Kimsuky Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
25 days ago
Securityaffairs
a month ago
Checkpoint
a month ago
BankInfoSecurity
a month ago
Unit42
a month ago
DARKReading
a month ago
BankInfoSecurity
2 months ago
Contagio
2 months ago
Unit42
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
BankInfoSecurity
4 months ago