Kimsuky Threat Actor Intelligence Profile

Tracking started: a year ago, last updated: Wed Apr 17 2024, uuid: 0c1efdaa-c8e0-400f-b886-bac04fda1825

Kimsuky Description

Generated from Cybergeist context 6 hours ago. This description is learned via the associations below
Kimsuky, also known as APT43, Emerald Sleet, and Velvet Chollima, is a North Korean Advanced Persistent Threat group known for its spear-phishing skills and increasing technical sophistication. The group has been linked to multiple cyber-attacks, including the exploitation of a vulnerability in collaboration with ransomware groups Black Basta and Bl00dy. Kimsuky's tactics have evolved over time, employing evasion and disruption of security tool techniques, which include shutting down security tools and adding payloads to exclusions. The group significantly ramped up its activity in 2023, shifting focus towards cryptocurrency alongside traditional cyber espionage. Kimsuky uses various methods such as LNK files attached to emails, command scripts downloaded from Dropbox, and code written in PowerShell and VBScript to conduct offensive operations. In August 2023, Kimsuky attempted to infiltrate a U.S.-South Korean military exercise to gather information on military strategies. The threat actor frequently reuses some of its phishing infrastructure for command and control communications and continues to deploy ReconShark through specially crafted phishing emails. Kimsuky has also been observed delivering weaponized Office documents that execute the ReconShark malware. If a target engages in conversation, the group uses the opportunity to deliver a spoofed URL to a Google document, redirecting to a malicious website designed to capture Google credentials. The group's recent activities demonstrate an adoption of a more complex, eight-stage attack chain that leverages legitimate cloud services and employs evasive malware to conduct cyber espionage and financial crimes against South Korean entities. Notably, Kimsuky's tactics bear resemblance to BabyShark malware, another threat associated with North Korean APT groups. Security researchers have uncovered new strategies linked with Kimsuky, indicating that the group's capabilities are evolving. Despite public outing, the group remains persistent and continues to pose a significant threat to cybersecurity.
Kimsuky STIX 2.1 Package Preview
STIX package updated 6 hours ago
aliasaliasaliasaliasaliasaliasrelated-torelated-torelated-torelated-toInfoSecurity-magazineDARKReadingCERT-EUCybergeistBabySharkKONNItoddlesharkreconsharkNorth Korean Group Kimsuky Exploits DMARC and Web BeaconsNorth Korea-Linked Group Levels Multistage Cyberattack on South Korea12 Months of Fighting Cybercrime & Defending Enterprises | #cybercrime | #infosec | National Cyber Security ConsultingGRIT Ransomware Report: February 2024 | #ransomware | #cybercrime | National Cyber Security ConsultingMultiple Vulnerabilities Found In ConnectWise ScreenConnect | ZscalerKimsukyapt43Velvet ChollimaAPT37STOLEN PENCILLazarus GroupThallium

Kimsuky Association List

The following associations have been automatically determined. Expand the row to see evidence. Votes are automatically added when the same assertion is recorded from different sourced, or updated by human users.
Associated Object
Association Type
Threat Classunspecified
Threat Classunspecified
Country / Regionunspecified
Threat Actoralias
Velvet Choll...
Threat Actoralias
Threat Actoralias
Threat Classunspecified
Relevance to PIRs (disabled)
Priority Intel Requirements
Information about why this intelligence profile is relevant to your requirements would be displayed here. Create an account to get started.
Context provided by 12 Sources
CSO Online
CSO serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks. With incisive content that addresses all security disciplines from risk management to network defense to fraud and data loss prevention, CSO offers unparalleled depth and insight to support key decisions and investments for IT security professionals.
Checkpoint Research
Recorded Future
Recorded Future is a leading authority on cybersecurity, creating actionable intelligence that informs and influences policy and nation-state interactions.
BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG)
MITRE began in 1958, sponsored by the U.S. Air Force to bridge across the academic research community and industry to architect the Semi-Automatic Ground Environment, or SAGE, a key component of Cold War-era air defense.
Flashpoint’s purpose is to help organizations protect what they value and cherish most, and to do our part to make the world a safer place. Every day, commercial and governmental organizations, as well as other public entities, leverage Flashpoint’s threat intelligence platform and industry expertise to keep their employees and assets safe from harm.
Comments (disabled)
Log in to view comments

Recent statements about Kimsuky

Recent statements allow a quick snapshot for understanding how this object is evolving. Click the row to see the full report context
Statement Text
A threat actor has been observed exploiting a recently disclosed critical vulnerability in the ConnectWise ScreenConnect remote access tool to deploy a malware strain similar to the Babyshark malware family associated with a North Korean state-backed...(read more)
Kimsuky’s operations mostly consist of stealing intelligence, focusing on foreign policies and national security concerns regarding the Korean peninsula and nuclear policy.
This is part of the Kimsuky's increasingly common approach of establishing a rapport with its targets before delivering a malicious payload.
In the malicious emails, Kimsuky entices the target to open a link to download a password-protected document.
Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15 more)
Kimsuky cyberespiona group (aka ARCHIPELAGO, Black Banshee, Thallium Velv...(read more)
Of note, the South Korean authorities imposed sanctions this week on eight North Korean individuals, including Ri Chang-ho, the head of the Reconnaissance General Bureau, believed to be behind North Kore...(read more)
After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body.
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.
North Korean Kimsuky deploys AppleSeed, Meterpreter, and TinyNuke to take over infected servers
“The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision atta...(read more)
Hackers posing as Journalists and Writers (Source: U.S. Government) If the target does not reply to these emails, Kimsuky follows up after a few days with another message.
Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea’s Reconnaissance General Bureau and is known to “collect strategic intelligence on geopolitical events and negotiations affecting the...(read more)
The infrastructure of some of the malware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools.
-Kimsuky used a macro-based document to target Korean-speaking people.
Finally, this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea.
KIMSUKY ATTACK IoCs DOMAINS IP ADDRESSES brhosting[.]net 152[.]89[.]247[.]57 prohomepage[.]net 172[.]93[.]201[.]248 splitbusiness[.]com 192[.]236[.]154[.]125 techgolfs[.]com 209[.]127[.]37[.]40 theservicellc[.]com 23[.]236[.]181[.]108 topspace[.]org ...(read more)
Kimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009 ]).
Finally, ToddleShark encodes the gathered information in Privacy Enhanced Mail (PEM) certificates, exfiltrated to the attacker's command and control (C2) infrastructure, an advanced and known Kimsuky tactic.
• Behavioral and Code Similarities to Other Kimsuky Malware: The newly discovered malware shares various behavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared strings; file naming con...(read more)
Documents discussing Kimsuky
Relevance score is determined via Machine Learning, to identify what documents could be most valuable to read
Created At
Title (Open original source)
a year ago
North Korean Advanced Persistent Threat Focus: Kimsuky | CISA
a year ago
Back to the Future: Inside the Kimsuky KGH Spyware Suite
a year ago
North Korea's Kimsuky APT Keeps Growing, Despite Public Outing
a year ago
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
a year ago
Кибербандиты Kimsuky продолжают удивлять: новый вредонос ReconShark надолго может поселиться в заражённой системе
a year ago
North Korean APT Uses Malicious Microsoft OneDrive Links to Spread New Malware
a year ago
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
a year ago
North Korea-linked Kimsuky APT uses new recon tool ReconShark
a year ago
安全事件周报 2023-05-08 第19周 - 360CERT
a year ago
ReconShark: nueva herramienta de hacking indetectable utilizada por los ciberdelincuentes
a year ago
North Korean-backed APT group Kimsuky evolves reconnaissance capabilities in recent global campaign
a year ago
North Korean APT Kimsuky Launches Global Spear-Phishing Campaign
10 months ago
Target of North Korean APT attack spills details of recent Kimsuky campaign
a year ago
North Korean APT breached Seoul National University Hospital
10 months ago
Experts detail a new Kimsuky social engineering campaign
10 months ago
North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
a year ago
New reconnaissance malware deployed in global Kimsuky campaign
a year ago
More than 2M sites impacted by WordPress plugin with reflected XSS bug
a year ago
North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43
a year ago
ReconShark – Kimsuky’s Newest Recon Tool
Associated Indicators (328)
Log in / sign up to view IoCs