Sparkling Pisces

Threat Actor updated 5 days ago (2024-11-29T14:53:58.718Z)

Download STIX

Preview STIX

Sparkling Pisces, also known as Kimsuky, APT43, Emerald Sleet, and THALLIUM, is a North Korean Advanced Persistent Threat (APT) group notorious for its intelligence collection efforts and use of cybercrime to fund espionage. Discovered by Unit 42 researchers, this group has been linked to multiple malware strains and campaigns, demonstrating a complex and ever-evolving infrastructure. The group's proficiency in advanced spear-phishing attacks and sophisticated cyberespionage operations underscores the serious threat it poses. In their latest research, the Unit 42 team identified two previously undocumented malware samples tied to Sparkling Pisces. These findings further illuminate the group's continuously evolving toolkit and intricate infrastructure. The newly discovered malware exhibits code and behavioral similarities with a variant described in ASEC's 2022 research. It shares several characteristics, including naming conventions of additional downloaded modules and logs, with Sparkling Pisces's KGHSpy backdoor, which was initially uncovered in 2020. Interestingly, the new malware uses an unknown Uniform Resource Identifier (URI) pattern not observed in any other associated Sparkling Pisces malware, indicating a potential evolution in their methodology. This development underlines the group's relentless pursuit of innovation and sophistication in their cyber-attack strategies. As such, understanding and monitoring Sparkling Pisces remains crucial in combating cyber threats and safeguarding digital assets.

Description last updated: 2024-10-17T12:18:20.929Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kimsuky is a possible alias for Sparkling Pisces. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Sparkling Pisces Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	3 months ago	Threat Assessment: North Korean Threat Groups
Checkpoint	2 months ago	30th September – Threat Intelligence Report - Check Point Research
Unit42	2 months ago	Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy