Kimsuky (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Kimsuky (Back to overview)

aka: APT43, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, Sparkling Pisces, Springtail, THALLIUM, Thallium, Velvet Chollima

This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.

Associated Families

apk.fastfire apk.fastspy elf.gomir ps1.flowerpower ps1.unidentified_004 vbs.randomquery win.alphaseed win.nikihttp ps1.randomquery win.appleseed win.babyshark win.grease win.kimsuky win.mechanical win.navrat win.troll_stealer win.yorekey

References

2024-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniel Frank, Lior Rochberger
Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
FPSpy KLogEXE Kimsuky

2024-06-19 ⋅ BartBlaze, Nguyen Nguyen
New North Korean based backdoor packs a punch
NikiHTTP

2024-05-16 ⋅ Symantec ⋅ Threat Hunter Team
Springtail: New Linux Backdoor Added to Toolkit
Gomir Kimsuky

2024-03-18 ⋅ Securonix ⋅ Den Iyzvyk, Oleg Kolesnikov, Tim Peck
Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
RandomQuery

2024-03-09 ⋅ somedieyoungZZ
Kimsuky 2
Unidentified PS 004 (RAT)

2024-03-05 ⋅ Kroll ⋅ Dave Truman, George Glass, Keith Wojcieszek
TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
BabyShark

2024-02-07 ⋅ Medium s2wlab ⋅ Jiho Kim, Sebin Lee
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer
AlphaSeed Appleseed Troll Stealer

2024-01-22 ⋅ SentinelOne ⋅ Aleksandar Milenkoski, Tom Hegel
ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals
Kimsuky

2023-12-28 ⋅ AhnLab ⋅ Sanseo
Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed
AlphaSeed Appleseed

2023-12-01 ⋅ ASEC ⋅ ASEC
Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
XRat Amadey Appleseed PEBBLEDASH

2023-06-28 ⋅ ⋅ AhnLab ⋅ Sanseo
Kimsuky Attack Group Abusing Chrome Remote Desktop
Appleseed

2023-05-23 ⋅ Aleksandar Milenkoski
Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit
RandomQuery

2023-05-22 ⋅ AhnLab ⋅ ASEC
Kimsuky Group Using Meterpreter to Attack Web Servers
Kimsuky Meterpreter

2023-05-17 ⋅ ⋅ S2W LAB Inc. ⋅ BLKSMTH
Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang
AlphaSeed

2023-05-04 ⋅ SentinelOne ⋅ Tom Hegel
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
BabyShark

2023-04-05 ⋅ Google ⋅ Adam Weidemann, Google Threat Analysis Group
How we’re protecting users from government-backed attacks from North Korea
BabyShark

2023-03-28 ⋅ Mandiant ⋅ Dan Perez, Fred Plan, JEFF JOHNSON, JOE DOBSON, Michael Barnhart, Van Ta
APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
APT43 Kimsuky

2023-02-02 ⋅ WithSecure ⋅ Sami Ruohonen, Stephen Robinson
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Unraveling the Layers: Analysis of Kimsuky's Multi-Staged Cyberattack
Kimsuky

2022-11-02 ⋅ ASEC ⋅ ASEC
Appleseed Being Distributed to Nuclear Power Plant-Related Companies
Appleseed

2022-10-24 ⋅ Medium s2wlab ⋅ Lee Sebin, Shin Yeongjae
Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
FastFire FastSpy

2022-08-26 ⋅ cocomelonc
Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.
Kimsuky

2022-08-09 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Pivoting on a SharpExt to profile Kimusky panels for great good
Kimsuky

2022-08-02 ⋅ ASEC ⋅ ASEC Analysis Team
Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)
Kimsuky

2022-07-21 ⋅ ⋅ ASEC ⋅ ASEC Analysis Team
Dissemination of AppleSeed to Specific Military Maintenance Companies
Appleseed

2022-07-11 ⋅ ASEC ⋅ ASEC
AppleSeed Disguised as Purchase Order and Request Form Being Distributed
Appleseed

2022-04-20 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky

2022-03-01 ⋅ Huntress Labs ⋅ John Hammond
Targeted APT Activity: BABYSHARK Is Out for Blood
BabyShark

2022-01-05 ⋅ AhnLab ⋅ ASEC Analysis Team
Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH

2021-11-18 ⋅ Proofpoint ⋅ Darien Huss, Selena Larson
Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
YoreKey

2021-11-18 ⋅ Proofpoint ⋅ Darien Huss, Selena Larson
Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
YoreKey TA406

2021-11-16 ⋅ AhnLab ⋅ ASEC Analysis Team
Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
Appleseed PEBBLEDASH

2021-11-03 ⋅ Telsy ⋅ Telsy Research Team
Dissecting new AppleSeed backdoor of Kimsuky threat actor
Appleseed

2021-10-07 ⋅ S2W Inc. ⋅ Jaeki Kim, Kyoung-ju Kwak, Sojun Ryu
Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky

2021-09-02 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Attacks using metasploit meterpreter
Appleseed Meterpreter

2021-08-23 ⋅ InQuest ⋅ Dmitry Melikov
Kimsuky Espionage Campaign
Kimsuky

2021-06-11 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Linda Kuo, Zih-Cing Liao
Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark

2021-06-11 ⋅ TEAMT5 ⋅ Linda Kuo, Zih-Cing Liao
Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark

2021-06-01 ⋅ Malwarebytes ⋅ Hossein Jazi
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed

2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy

2021-05-07 ⋅ TEAMT5 ⋅ Jhih-Lin Kuo, Zih-Cing Liao
"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2020-12-15 ⋅ ⋅ KISA ⋅ KrCERT
Operation MUZABI
Appleseed

2020-12-15 ⋅ ⋅ KISA ⋅ KISA
Operation MUZABI
Kimsuky

2020-11-04 ⋅ ⋅ ESTsecurity ⋅ Alyac
북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처
BabyShark

2020-11-02 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Lior Rochberger, Tom Fakterman
Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky

2020-10-27 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark GREASE MECHANICAL Meterpreter Kimsuky

2020-09-04 ⋅ VB Localhost ⋅ Sveva Vittoria Scenarelli
To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission
FlowerPower

2020-06-12 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky

2020-03-10 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs

2020-03-09 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
BabyShark MyDogs Kimsuky

2020-03-09 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
BabyShark MyDogs Kimsuky

2020-03-04 ⋅ MetaSwan's Lab ⋅ MetaSwan
Kimsuky group's resume impersonation malware
Kimsuky

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-18 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky

2019-12-18 ⋅ US District Court for the Eastern District of Virginia
MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS
BabyShark Kimsuky

2019-11-14 ⋅ Youtube (mitrecorp) ⋅ Karl Scheuerman, Piotr Wojtyla
MITRE ATT&CKcon 2.0: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK
Kimsuky

2019-10-04 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
Kimsuky group: tracking the king of the spear-phishing
Kimsuky

2019-09-11 ⋅ Prevailion ⋅ Danny Adamitis, Elizabeth Wharton
Autumn Aperture
Kimsuky

2019-06-10 ⋅ ⋅ ESTsecurity ⋅ Alyac
[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky

2019-02-25 ⋅ One Night in Norfolk ⋅ Kevin Perlow
How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group
NavRAT

2019-02-22 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
New BabyShark Malware Targets U.S. National Security Think Tanks
BabyShark Kimsuky

2019-02-22 ⋅ Twitter ⋅ 0xffff0800
Tweet on PE
BabyShark

2019-01-01 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Kimsuky
Kimsuky

2019-01-01 ⋅ MITRE ⋅ MITRE ATT&CK
Group description: Stolen Pencil
Kimsuky

2018-12-05 ⋅ NetScout ⋅ ASERT Team
STOLEN PENCIL Campaign Targets Academia
Kimsuky

2018-12-05 ⋅ NetScout ⋅ ASERT Team
STOLEN PENCIL Campaign Targets Academia
GREASE MECHANICAL

2018-05-31 ⋅ Cisco Talos ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer
NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
NavRAT

2013-09-11 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
The “Kimsuky” Operation: A North Korean APT?
Kimsuky

Credits: MISP Project