Thallium

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Thallium, also known as Kimsuky, Velvet Chollima, and APT43, is a North Korean state-sponsored threat actor or hacking group that has been active since 2012. Tracked by the Cybereason Nocturnus Team and other security researchers, this cyber espionage group is believed to operate on behalf of the North Korean regime. It has been involved in various cyberespionage and cybercrime operations, targeting organizations such as news media, academic entities, and think tanks globally. The group's primary tactics include social engineering and it is linked to North Korea’s main military intelligence organization, the General Reconnaissance Bureau. In June 2023, U.S. and South Korean intelligence agencies issued warnings about ongoing attacks from Kimsuky, alerting targeted sectors to the potential risk. These alerts came after the FBI and National Security Agency released a joint cybersecurity advisory detailing how Thallium was exploiting vulnerabilities for its benefit. The group has been known to launch attacks against foreign governments, academic institutions, and major media corporations, furthering North Korea's national intelligence objectives. Despite public outing, the group continues to grow and pose significant threats. It is considered among the top threat actors alongside China state-sponsored group APT41 (also known as Double Dragon and Wicked Panda) and the North Korea-sponsored Lazarus Group. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center identified Thallium as a serious threat in a brief issued in 2024, emphasizing the persistent and evolving nature of these state-sponsored cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kimsuky
6
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Velvet Chollima
4
Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intellige
Apt43
3
APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
Emerald Sleet
2
Emerald Sleet, a North Korea-affiliated advanced persistent threat (APT) group, has emerged as a significant cybersecurity concern. The group leverages OpenAI’s ChatGPT, the same technology that underpins Microsoft's Copilot, to enhance its malicious activities. These activities include spear-phishi
Ta406
1
TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gai
Black Banshee
1
Black Banshee, also known as Kimsuky, APT43, Emerald Sleet, Velvet Chollima, and TA406, is a threat actor group believed to be operating under the North Korean Reconnaissance General Bureau (RGB), the country's primary intelligence service. The group has been active since at least 2012, according to
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
Health
State Sponso...
Chrome
Malware
Domains
Reconnaissance
Korean
Android
Microsoft
Cybereason
Mandiant
Trojan
Cybercrime
Ransomware
Spyware
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ReconsharkUnspecified
1
ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is
CactusUnspecified
1
Cactus is a type of malware, specifically ransomware, that has been implicated in several high-profile cyber-attacks. This malicious software infiltrates systems through deceptive methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Cactus c
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Double DragonUnspecified
2
Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t
APT41Unspecified
2
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Wicked PandaUnspecified
2
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China. Recognized as one of the top cyber threats by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, this group has been associated wit
Lazarus GroupUnspecified
2
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
APT37Unspecified
1
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Thallium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn
CERT-EU
5 months ago
ScreenConnect flaws exploited to drop new ToddleShark malware
BankInfoSecurity
8 months ago
US Sanctions North Korean Cyber Unit After Satellite Launch
CERT-EU
10 months ago
Chinese, North Korean Nation-State Groups Target Health Data
BankInfoSecurity
10 months ago
Chinese, North Korean Nation-State Groups Target Health Data
CERT-EU
a year ago
Anonymous Sudan claims DDoS attacks against Microsoft Outlook
CERT-EU
a year ago
Target of North Korean APT attack spills details of recent Kimsuky campaign
Flashpoint
a year ago
No title
CERT-EU
a year ago
North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
MITRE
a year ago
Back to the Future: Inside the Kimsuky KGH Spyware Suite
MITRE
a year ago
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CERT-EU
a year ago
North Korean hackers plot Gmail theft attacks via Chrome extension | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
DARKReading
a year ago
Malicious ChatGPT Extensions Add to Google Chrome Woes
CERT-EU
a year ago
Kimsuky’s Attacks Alerted German and South Korean Agencies | IT Security News
DARKReading
a year ago
North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43
CSO Online
a year ago
North Korean threat actor APT43 pivots back to strategic cyberespionage
BankInfoSecurity
a year ago
Cryptohack Roundup: Euler Finance, SafeMoon, BitKeep
CERT-EU
a year ago
Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure
CERT-EU
a year ago
APT43: Cyberespionage Group Targets Strategic Intelligence | IT Security News
CERT-EU
a year ago
ReconShark – Kimsuky’s Newest Recon Tool