Thallium

Threat Actor updated 2 months ago (2024-09-10T04:18:34.373Z)

Download STIX

Preview STIX

Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activities. The group's operations have evolved over time, with activities being traced back to at least 2018 under various aliases. Thallium has employed sophisticated methods in its operations, including leveraging artificial intelligence tools like ChatGPT to draft more convincing content for phishing emails. The Cybereason Nocturnus Team and other security researchers have been actively tracking the activities of this group. Thallium has targeted a wide range of entities, including news media organizations, academic institutions, think tanks, foreign governments, and major media corporations. In June 2023, U.S. and South Korean intelligence agencies issued warnings about the group's escalating cyberespionage attacks. Moreover, Thallium has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, alongside other notable groups like China's state-sponsored APT41 and North Korea's Lazarus Group. Despite public exposure and international advisories, Thallium continues to grow and evolve its tactics. The group is notorious for its focus on social engineering and is linked to North Korea’s main military intelligence organization, the General Reconnaissance Bureau. With the continuous evolution of cyber threats, it is crucial for entities worldwide to remain vigilant and enhance their cybersecurity measures to counteract these advanced persistent threats.

Description last updated: 2024-09-10T03:20:11.916Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kimsuky is a possible alias for Thallium. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit	7
Apt43 is a possible alias for Thallium. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA	4
Velvet Chollima is a possible alias for Thallium. Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige	4
Emerald Sleet is a possible alias for Thallium. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Chrome

Cybercrime

State Sponso...

Espionage

Health

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT41 Threat Actor is associated with Thallium. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	Unspecified	2
The Lazarus Group Threat Actor is associated with Thallium. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	2
The Wicked Panda Threat Actor is associated with Thallium. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordinati	Unspecified	2
The Double Dragon Threat Actor is associated with Thallium. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t	Unspecified	2

Source Document References

Information about the Thallium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
CERT-EU	9 months ago	Chat GPT and Nation-State Attackers: A New Era of AI-generated Attacks
DARKReading	7 months ago	DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn
CERT-EU	9 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware
BankInfoSecurity	a year ago	US Sanctions North Korean Cyber Unit After Satellite Launch
CERT-EU	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
BankInfoSecurity	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
CERT-EU	a year ago	Anonymous Sudan claims DDoS attacks against Microsoft Outlook
CERT-EU	a year ago	Target of North Korean APT attack spills details of recent Kimsuky campaign
Flashpoint	2 years ago	No title
CERT-EU	a year ago	North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
MITRE	2 years ago	Back to the Future: Inside the Kimsuky KGH Spyware Suite
MITRE	2 years ago	Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CERT-EU	2 years ago	North Korean hackers plot Gmail theft attacks via Chrome extension \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
DARKReading	2 years ago	Malicious ChatGPT Extensions Add to Google Chrome Woes
CERT-EU	2 years ago	Kimsuky’s Attacks Alerted German and South Korean Agencies \| IT Security News
DARKReading	2 years ago	North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43
CSO Online	2 years ago	North Korean threat actor APT43 pivots back to strategic cyberespionage
BankInfoSecurity	2 years ago	Cryptohack Roundup: Euler Finance, SafeMoon, BitKeep
CERT-EU	2 years ago	Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure