Velvet Chollima

Threat Actor updated 4 months ago (2024-05-04T20:03:36.233Z)
Download STIX
Preview STIX
Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intelligence organization. Known for its focus on social engineering, Velvet Chollima uses various tactics including malicious Chrome browser extensions and app store services to target individuals conducting research on the inter-Korean conflict. The group is tracked by both the U.S. and South Korean governments along with private-sector cybersecurity companies due to their large-scale social engineering campaigns. In 2023, Velvet Chollima notably increased its activities, shifting towards a greater focus on cryptocurrency in addition to its traditional focus on cyber espionage. This shift was marked by the use of evasion and disruption techniques to bypass security tools. The group has also been observed exploiting critical vulnerabilities in widely used remote access tools like ConnectWise ScreenConnect to deploy malware strains similar to the Babyshark malware family, which is associated with the group. Recently, hackers from this group have been exploiting disclosed ScreenConnect vulnerabilities to deploy a new variant of malware, dubbed ToddlerShark by researchers. This new malware overlaps with ReconShark and BabyShark, reconnaissance tools previously used by Velvet Chollima. As a state-sponsored hacking group, Velvet Chollima continues to pose a significant threat to organizations and governments worldwide, particularly those involved in research or activities related to the inter-Korean conflict.
Description last updated: 2024-03-21T22:14:15.605Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kimsuky
6
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp
Thallium
4
Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chrome
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Velvet Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 months ago
North Korea-Linked Group Levels Multistage Cyberattack on South Korea
CERT-EU
6 months ago
Cyber Security Week in Review: March 8, 2024
CERT-EU
6 months ago
North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
CERT-EU
6 months ago
Critical ScreenConnect flaws exploited to deploy Babyshark malware variant
CERT-EU
6 months ago
ScreenConnect flaws exploited to drop new ToddleShark malware
BankInfoSecurity
7 months ago
OpenAI and Microsoft Terminate State-Backed Hacker Accounts
CERT-EU
9 months ago
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
CERT-EU
a year ago
North Korea’s social engineering threat not going away
Securityaffairs
a year ago
Experts detail a new Kimsuky social engineering campaign
CERT-EU
a year ago
Target of North Korean APT attack spills details of recent Kimsuky campaign
Flashpoint
2 years ago
No title
CERT-EU
a year ago
North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
MITRE
2 years ago
Cyber-espionage group uses Chrome extension to infect victims
MITRE
2 years ago
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CERT-EU
a year ago
German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
a year ago
North Korean hackers plot Gmail theft attacks via Chrome extension | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
DARKReading
a year ago
Malicious ChatGPT Extensions Add to Google Chrome Woes
CERT-EU
a year ago
North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations | #cybercrime | #infosec – National Cyber Security Consulting
CERT-EU
a year ago
Hacker Group Names Are Now Absurdly Out of Control | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
ReconShark – Kimsuky’s Newest Recon Tool