Thallium

Threat Actor updated 4 months ago (2024-05-04T20:51:27.085Z)

Download STIX

Preview STIX

Thallium, also known as Kimsuky, Velvet Chollima, and APT43, is a North Korean state-sponsored threat actor or hacking group that has been active since 2012. Tracked by the Cybereason Nocturnus Team and other security researchers, this cyber espionage group is believed to operate on behalf of the North Korean regime. It has been involved in various cyberespionage and cybercrime operations, targeting organizations such as news media, academic entities, and think tanks globally. The group's primary tactics include social engineering and it is linked to North Korea’s main military intelligence organization, the General Reconnaissance Bureau. In June 2023, U.S. and South Korean intelligence agencies issued warnings about ongoing attacks from Kimsuky, alerting targeted sectors to the potential risk. These alerts came after the FBI and National Security Agency released a joint cybersecurity advisory detailing how Thallium was exploiting vulnerabilities for its benefit. The group has been known to launch attacks against foreign governments, academic institutions, and major media corporations, furthering North Korea's national intelligence objectives. Despite public outing, the group continues to grow and pose significant threats. It is considered among the top threat actors alongside China state-sponsored group APT41 (also known as Double Dragon and Wicked Panda) and the North Korea-sponsored Lazarus Group. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center identified Thallium as a serious threat in a brief issued in 2024, emphasizing the persistent and evolving nature of these state-sponsored cyber threats.

Description last updated: 2024-05-02T23:16:03.585Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kimsuky	6	Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp
Velvet Chollima	4	Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige
Apt43	3	APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
Emerald Sleet	2	Emerald Sleet, a North Korea-affiliated advanced persistent threat (APT) group, has emerged as a significant cybersecurity concern. The group leverages OpenAI’s ChatGPT, the same technology that underpins Microsoft's Copilot, to enhance its malicious activities. These activities include spear-phishi

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Chrome

State Sponso...

Espionage

Health

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
APT41	Unspecified	2	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Lazarus Group	Unspecified	2	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
Wicked Panda	Unspecified	2	Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has identified it as one of the top cyber threats. Over the years, security resea
Double Dragon	Unspecified	2	Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t

Source Document References

Information about the Thallium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Chat GPT and Nation-State Attackers: A New Era of AI-generated Attacks
DARKReading	4 months ago	DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn
CERT-EU	6 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware
BankInfoSecurity	9 months ago	US Sanctions North Korean Cyber Unit After Satellite Launch
CERT-EU	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
BankInfoSecurity	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
CERT-EU	a year ago	Anonymous Sudan claims DDoS attacks against Microsoft Outlook
CERT-EU	a year ago	Target of North Korean APT attack spills details of recent Kimsuky campaign
Flashpoint	a year ago	No title
CERT-EU	a year ago	North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
MITRE	2 years ago	Back to the Future: Inside the Kimsuky KGH Spyware Suite
MITRE	2 years ago	Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CERT-EU	a year ago	North Korean hackers plot Gmail theft attacks via Chrome extension \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
DARKReading	a year ago	Malicious ChatGPT Extensions Add to Google Chrome Woes
CERT-EU	a year ago	Kimsuky’s Attacks Alerted German and South Korean Agencies \| IT Security News
DARKReading	a year ago	North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43
CSO Online	a year ago	North Korean threat actor APT43 pivots back to strategic cyberespionage
BankInfoSecurity	a year ago	Cryptohack Roundup: Euler Finance, SafeMoon, BitKeep
CERT-EU	a year ago	Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure
CERT-EU	a year ago	APT43: Cyberespionage Group Targets Strategic Intelligence \| IT Security News