Sparkling Pisces, also known as Kimsuky, THALLIUM, or Velvet Chollima, is a North Korean Advanced Persistent Threat (APT) group notorious for its sophisticated cyberespionage operations and advanced spear phishing attacks. The group was discovered by Unit 42 researchers who identified two malware samples used in their campaigns. Sparkling Pisces' infrastructure is complex and continuously evolving, overlapping across multiple malware strains and campaigns. It uses an unknown Uniform Resource Identifier (URI) pattern that has not been observed in any other malware associated with this group.
The Sparkling Pisces malware shows significant similarities to a variant described in ASEC's research from 2022, based on code and behavioral characteristics. These similarities extend to the naming conventions of additional downloaded modules and logs, as well as the malware’s capabilities. This resemblance is particularly noticeable when compared to Sparkling Pisces’s KGHSpy backdoor, which was discovered in 2020.
Our latest findings reveal another facet of Sparkling Pisces’ infrastructure and two additional threats in their toolkit. This highlights the continuous evolution and sophistication of Sparkling Pisces's tools and their ever-changing infrastructure. By understanding the mechanics of these pieces of malware and the methods employed by Sparkling Pisces, organizations can better prepare and defend against such threats.
Description last updated: 2024-09-26T14:16:11.324Z