Velvet Chollima

Threat Actor updated 5 months ago (2024-05-04T20:03:36.233Z)

Download STIX

Preview STIX

Velvet Chollima, also known as Kimsuky, APT43, Thallium, Black Banshee, and Emerald Sleet among other names, is a threat actor believed to be based in North Korea. The group has been active since 2012 and is linked to North Korea’s General Reconnaissance Bureau, the country's main military intelligence organization. Known for its focus on social engineering, Velvet Chollima uses various tactics including malicious Chrome browser extensions and app store services to target individuals conducting research on the inter-Korean conflict. The group is tracked by both the U.S. and South Korean governments along with private-sector cybersecurity companies due to their large-scale social engineering campaigns. In 2023, Velvet Chollima notably increased its activities, shifting towards a greater focus on cryptocurrency in addition to its traditional focus on cyber espionage. This shift was marked by the use of evasion and disruption techniques to bypass security tools. The group has also been observed exploiting critical vulnerabilities in widely used remote access tools like ConnectWise ScreenConnect to deploy malware strains similar to the Babyshark malware family, which is associated with the group. Recently, hackers from this group have been exploiting disclosed ScreenConnect vulnerabilities to deploy a new variant of malware, dubbed ToddlerShark by researchers. This new malware overlaps with ReconShark and BabyShark, reconnaissance tools previously used by Velvet Chollima. As a state-sponsored hacking group, Velvet Chollima continues to pose a significant threat to organizations and governments worldwide, particularly those involved in research or activities related to the inter-Korean conflict.

Description last updated: 2024-03-21T22:14:15.605Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kimsuky is a possible alias for Velvet Chollima. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targ	6
Thallium is a possible alias for Velvet Chollima. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Chrome

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Velvet Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	7 months ago	North Korea-Linked Group Levels Multistage Cyberattack on South Korea
CERT-EU	7 months ago	Cyber Security Week in Review: March 8, 2024
CERT-EU	7 months ago	North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
CERT-EU	7 months ago	Critical ScreenConnect flaws exploited to deploy Babyshark malware variant
CERT-EU	7 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware
BankInfoSecurity	8 months ago	OpenAI and Microsoft Terminate State-Backed Hacker Accounts
CERT-EU	10 months ago	Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
CERT-EU	a year ago	North Korea’s social engineering threat not going away
Securityaffairs	a year ago	Experts detail a new Kimsuky social engineering campaign
CERT-EU	a year ago	Target of North Korean APT attack spills details of recent Kimsuky campaign
Flashpoint	2 years ago	No title
CERT-EU	a year ago	North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
MITRE	2 years ago	Cyber-espionage group uses Chrome extension to infect victims
MITRE	2 years ago	Kimsuky APT continues to target South Korean government using AppleSeed backdoor
CERT-EU	2 years ago	German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	2 years ago	North Korean hackers plot Gmail theft attacks via Chrome extension \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
DARKReading	2 years ago	Malicious ChatGPT Extensions Add to Google Chrome Woes
CERT-EU	2 years ago	North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations \| #cybercrime \| #infosec – National Cyber Security Consulting
CERT-EU	a year ago	Hacker Group Names Are Now Absurdly Out of Control \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	ReconShark – Kimsuky’s Newest Recon Tool