Kimsuky

Threat Actor updated 4 days ago (2024-11-29T13:53:49.870Z)

Download STIX

Preview STIX

Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which communicate with command-and-control (C2) servers in a similar manner, suggesting a connection between these tools and the group. Moreover, the group uses a unique strategy of registering malware as a service for reliable persistence, an approach that has enabled it to target organizations across multiple sectors, especially those involved in nuclear weapons research and policy. Recently, Kimsuky has been observed using social media platforms, specifically Messenger, to target victims. This new method of attack highlights the group's adaptability and its continuous evolution of tactics to infiltrate systems and networks. Additionally, the group has also been seen abusing Microsoft Management Console files, which are typically used by system administrators but can execute any Windows command, further demonstrating their advanced understanding of system vulnerabilities. Furthermore, there have been instances where overlaps in tactics, techniques, and procedures (TTPs), as well as infrastructure usage, have led cybersecurity analysts to associate other activities with Kimsuky. For instance, Cisco Talos surmised that the UAT-5394 activity cluster was either Kimsuky itself or another North Korean APT using Kimsuky's infrastructure. In another case, a MoonPeak server was observed connecting with a known C2 server for Quasar RAT, a malware tool associated with the Kimsuky group. These findings suggest that Kimsuky's influence may extend beyond its own operations, potentially aiding or inspiring other threat actors.

Description last updated: 2024-11-28T11:45:46.900Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Thallium is a possible alias for Kimsuky. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi	7
Velvet Chollima is a possible alias for Kimsuky. Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige	6
Apt43 is a possible alias for Kimsuky. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA	6
APT37 is a possible alias for Kimsuky. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	4
Lazarus Group is a possible alias for Kimsuky. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati	3
KONNI is a possible alias for Kimsuky. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba	3
Emerald Sleet is a possible alias for Kimsuky. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public	2
Black Banshee is a possible alias for Kimsuky. Black Banshee, also known as Kimsuky, APT43, Emerald Sleet, Velvet Chollima, and TA406, is a threat actor group believed to be operating under the North Korean Reconnaissance General Bureau (RGB), the country's primary intelligence service. The group has been active since at least 2012, according to	2
Reconnaissance General Bureau Rgb is a possible alias for Kimsuky. The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 1	2
STOLEN PENCIL is a possible alias for Kimsuky. The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved	2
Reconnaissance General Bureau is a possible alias for Kimsuky. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl	2
Sparkling Pisces is a possible alias for Kimsuky. Sparkling Pisces, also known as Kimsuky, APT43, Emerald Sleet, and THALLIUM, is a North Korean Advanced Persistent Threat (APT) group notorious for its intelligence collection efforts and use of cybercrime to fund espionage. Discovered by Unit 42 researchers, this group has been linked to multiple m	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Korean

Phishing

Exploit

Reconnaissance

State Sponso...

Cybercrime

Police

Windows

Backdoor

Chrome

Ransomware

Linux

Spearphishing

Espionage

Spyware

Trojan

Payload

Tool

Source

Sentinelone

Dprk

Rat

Domains

Android

Screenconnect

Microsoft

Vulnerability

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The BabyShark Malware is associated with Kimsuky. BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p	Unspecified	5
The Reconshark Malware is associated with Kimsuky. ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is	Unspecified	5
The Lockbit Malware is associated with Kimsuky. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	2
The malware Moonpeak is associated with Kimsuky.	Unspecified	2
The Black Basta Malware is associated with Kimsuky. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Toddleshark Malware is associated with Kimsuky. ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think t	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Andariel Threat Actor is associated with Kimsuky. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	Unspecified	5
The Rgb Threat Actor is associated with Kimsuky. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international en	Unspecified	2
The ScarCruft Threat Actor is associated with Kimsuky. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me	Unspecified	2

Source Document References

Information about the Kimsuky Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	5 days ago	Kaspersky report on APT trends in Q3 2024
DARKReading	3 months ago	Constantly Evolving MoonPeak RAT Linked to North Korean Spying
ESET	25 days ago	ESET APT Activity Report Q2 2024–Q3 2024
Securityaffairs	2 months ago	Security Affairs newsletter Round 492 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence
Checkpoint	2 months ago	30th September – Threat Intelligence Report - Check Point Research
BankInfoSecurity	2 months ago	Breach Roundup: How to Spot North Korean IT Workers
Unit42	2 months ago	Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
DARKReading	2 months ago	North Korean APT Bypasses DMARC for Cyber Espionage
BankInfoSecurity	3 months ago	Breach Roundup: Mexico in Hacker Spotlight
Contagio	3 months ago	2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)
Unit42	3 months ago	Threat Assessment: North Korean Threat Groups
DARKReading	3 months ago	FBI: North Korean Actors Readying Aggressive Cyberattack Wave
Securityaffairs	3 months ago	North Korea-linked APT used a new RAT called MoonPeak
InfoSecurity-magazine	3 months ago	New MoonPeak RAT Linked to North Korean Threat Group UAT-5394
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	4 months ago	North Korea Kimsuky Launch Phishing Attacks on Universities
Securityaffairs	4 months ago	North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3