aka: Velvet Chollima, Black Banshee, Thallium, Operation Stolen Pencil, G0086, APT43
This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.
2023-06-28 ⋅ AhnLab ⋅ Sanseo @online{sanseo:20230628:kimsuky:342e1c2,
author = {Sanseo},
title = {{Kimsuky Attack Group Abusing Chrome Remote Desktop}},
date = {2023-06-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/54804/},
language = {Korean},
urldate = {2023-07-16}
}
Kimsuky Attack Group Abusing Chrome Remote Desktop Appleseed |
2023-05-23 ⋅ Aleksandar Milenkoski @online{milenkoski:20230523:kimsuky:dd0cbc4,
author = {Aleksandar Milenkoski},
title = {{Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit}},
date = {2023-05-23},
url = {https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/},
language = {English},
urldate = {2023-05-30}
}
Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit RandomQuery |
2023-05-22 ⋅ AhnLab ⋅ ASEC @online{asec:20230522:kimsuky:6007eeb,
author = {ASEC},
title = {{Kimsuky Group Using Meterpreter to Attack Web Servers}},
date = {2023-05-22},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/53046/},
language = {English},
urldate = {2023-08-07}
}
Kimsuky Group Using Meterpreter to Attack Web Servers Kimsuky Meterpreter |
2023-05-17 ⋅ S2W LAB Inc. ⋅ BLKSMTH @online{blksmth:20230517:detailed:4e38725,
author = {BLKSMTH},
title = {{Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang}},
date = {2023-05-17},
organization = {S2W LAB Inc.},
url = {https://medium.com/s2wblog/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a},
language = {Korean},
urldate = {2023-05-30}
}
Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang AlphaSeed |
2023-05-04 ⋅ SentinelOne ⋅ Tom Hegel @online{hegel:20230504:kimsuky:6f04a16,
author = {Tom Hegel},
title = {{Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign}},
date = {2023-05-04},
organization = {SentinelOne},
url = {https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/},
language = {English},
urldate = {2023-05-05}
}
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign BabyShark |
2023-04-05 ⋅ Google ⋅ Adam Weidemann, Google Threat Analysis Group @online{weidemann:20230405:how:c5ac947,
author = {Adam Weidemann and Google Threat Analysis Group},
title = {{How we’re protecting users from government-backed attacks from North Korea}},
date = {2023-04-05},
organization = {Google},
url = {https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/},
language = {English},
urldate = {2023-04-22}
}
How we’re protecting users from government-backed attacks from North Korea BabyShark |
2023-03-28 ⋅ Mandiant ⋅ Fred Plan, Van Ta, Michael Barnhart, JEFF JOHNSON, Dan Perez, JOE DOBSON @online{plan:20230328:apt43:2cb37c1,
author = {Fred Plan and Van Ta and Michael Barnhart and JEFF JOHNSON and Dan Perez and JOE DOBSON},
title = {{APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations}},
date = {2023-03-28},
organization = {Mandiant},
url = {https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report},
language = {English},
urldate = {2023-04-25}
}
APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations APT43 Kimsuky |
2023-02-02 ⋅ WithSecure ⋅ Sami Ruohonen, Stephen Robinson @techreport{ruohonen:20230202:no:2a5fce3,
author = {Sami Ruohonen and Stephen Robinson},
title = {{No Pineapple! –DPRK Targeting of Medical Research and Technology Sector}},
date = {2023-02-02},
institution = {WithSecure},
url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf},
language = {English},
urldate = {2023-08-25}
}
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector Dtrack GREASE QuiteRAT |
2022-11-02 ⋅ ASEC ⋅ ASEC @online{asec:20221102:appleseed:0cc5b91,
author = {ASEC},
title = {{Appleseed Being Distributed to Nuclear Power Plant-Related Companies}},
date = {2022-11-02},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/41015/},
language = {English},
urldate = {2022-11-03}
}
Appleseed Being Distributed to Nuclear Power Plant-Related Companies Appleseed |
2022-10-24 ⋅ Medium s2wlab ⋅ Lee Sebin, Shin Yeongjae @online{sebin:20221024:unveil:8034279,
author = {Lee Sebin and Shin Yeongjae},
title = {{Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware}},
date = {2022-10-24},
organization = {Medium s2wlab},
url = {https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f},
language = {English},
urldate = {2022-12-20}
}
Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware FastFire FastSpy |
2022-08-26 ⋅ cocomelonc @online{cocomelonc:20220826:malware:c330f1e,
author = {cocomelonc},
title = {{Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.}},
date = {2022-08-26},
url = {https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example. Kimsuky |
2022-08-09 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220809:pivoting:7afbaea,
author = {Jason Reaves and Joshua Platt},
title = {{Pivoting on a SharpExt to profile Kimusky panels for great good}},
date = {2022-08-09},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9},
language = {English},
urldate = {2023-02-06}
}
Pivoting on a SharpExt to profile Kimusky panels for great good Kimsuky |
2022-08-02 ⋅ ASEC ⋅ ASEC Analysis Team @online{team:20220802:word:dbe2c7e,
author = {ASEC Analysis Team},
title = {{Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)}},
date = {2022-08-02},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/37396/},
language = {English},
urldate = {2022-08-02}
}
Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky) Kimsuky |
2022-07-21 ⋅ ASEC ⋅ ASEC Analysis Team @online{team:20220721:dissemination:586ca95,
author = {ASEC Analysis Team},
title = {{Dissemination of AppleSeed to Specific Military Maintenance Companies}},
date = {2022-07-21},
organization = {ASEC},
url = {https://asec.ahnlab.com/ko/36918/},
language = {Korean},
urldate = {2022-07-25}
}
Dissemination of AppleSeed to Specific Military Maintenance Companies Appleseed |
2022-07-11 ⋅ ASEC ⋅ ASEC @online{asec:20220711:appleseed:c064586,
author = {ASEC},
title = {{AppleSeed Disguised as Purchase Order and Request Form Being Distributed}},
date = {2022-07-11},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/36368/},
language = {English},
urldate = {2022-11-03}
}
AppleSeed Disguised as Purchase Order and Request Form Being Distributed Appleseed |
2022-04-20 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220420:malware:b20963e,
author = {cocomelonc},
title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}},
date = {2022-04-20},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky |
2022-03-01 ⋅ Huntress Labs ⋅ John Hammond @online{hammond:20220301:targeted:c462269,
author = {John Hammond},
title = {{Targeted APT Activity: BABYSHARK Is Out for Blood}},
date = {2022-03-01},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood},
language = {English},
urldate = {2022-03-07}
}
Targeted APT Activity: BABYSHARK Is Out for Blood BabyShark |
2022-01-05 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220105:analysis:6eadabd,
author = {ASEC Analysis Team},
title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}},
date = {2022-01-05},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/30532/},
language = {English},
urldate = {2022-04-15}
}
Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash) Appleseed Kimsuky PEBBLEDASH |
2021-11-18 ⋅ Proofpoint ⋅ Darien Huss, Selena Larson @techreport{huss:20211118:triple:dd07fa8,
author = {Darien Huss and Selena Larson},
title = {{Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies}},
date = {2021-11-18},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf},
language = {English},
urldate = {2021-12-15}
}
Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies YoreKey |
2021-11-18 ⋅ Proofpoint ⋅ Darien Huss, Selena Larson @online{huss:20211118:triple:62c1c14,
author = {Darien Huss and Selena Larson},
title = {{Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals}},
date = {2021-11-18},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals},
language = {English},
urldate = {2021-12-15}
}
Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals YoreKey |
2021-11-16 ⋅ AhnLab ⋅ ASEC Analysis Team @techreport{team:20211116:analysis:77a82f6,
author = {ASEC Analysis Team},
title = {{Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)}},
date = {2021-11-16},
institution = {AhnLab},
url = {https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf},
language = {English},
urldate = {2022-05-04}
}
Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash) Appleseed PEBBLEDASH |
2021-11-03 ⋅ Telsy ⋅ Telsy Research Team @online{team:20211103:dissecting:aa23c19,
author = {Telsy Research Team},
title = {{Dissecting new AppleSeed backdoor of Kimsuky threat actor}},
date = {2021-11-03},
organization = {Telsy},
url = {https://www.telsy.com/download/5654/?uid=4869868efd},
language = {English},
urldate = {2021-11-08}
}
Dissecting new AppleSeed backdoor of Kimsuky threat actor Appleseed |
2021-10-07 ⋅ S2W Inc. ⋅ Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak @online{kim:20211007:operation:6b8234f,
author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak},
title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}},
date = {2021-10-07},
organization = {S2W Inc.},
url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/},
language = {English},
urldate = {2021-10-14}
}
Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head? Appleseed Kimsuky |
2021-09-02 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210902:attacks:39695ea,
author = {ASEC Analysis Team},
title = {{Attacks using metasploit meterpreter}},
date = {2021-09-02},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/26705/},
language = {Korean},
urldate = {2022-04-15}
}
Attacks using metasploit meterpreter Appleseed Meterpreter |
2021-08-23 ⋅ InQuest ⋅ Dmitry Melikov @online{melikov:20210823:kimsuky:e899bfa,
author = {Dmitry Melikov},
title = {{Kimsuky Espionage Campaign}},
date = {2021-08-23},
organization = {InQuest},
url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign},
language = {English},
urldate = {2021-08-30}
}
Kimsuky Espionage Campaign Kimsuky |
2021-06-11 ⋅ TEAMT5 ⋅ Linda Kuo, Zih-Cing Liao @techreport{kuo:20210611:story:897e55c,
author = {Linda Kuo and Zih-Cing Liao},
title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}},
date = {2021-06-11},
institution = {TEAMT5},
url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf},
language = {English},
urldate = {2021-06-22}
}
Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides) Appleseed BabyShark |
2021-06-11 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Linda Kuo, Zih-Cing Liao @online{kuo:20210611:dissecting:cd60a32,
author = {Linda Kuo and Zih-Cing Liao},
title = {{Dissecting Phishing Techniques Of CloudDragon APT}},
date = {2021-06-11},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI},
language = {English},
urldate = {2021-06-22}
}
Dissecting Phishing Techniques Of CloudDragon APT Appleseed BabyShark |
2021-06-01 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20210601:kimsuky:922141b,
author = {Hossein Jazi},
title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}},
date = {2021-06-01},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/},
language = {English},
urldate = {2021-06-09}
}
Kimsuky APT continues to target South Korean government using AppleSeed backdoor Appleseed |
2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft @online{microsoft:20210520:microsoft:41112d3,
author = {Microsoft},
title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}},
date = {2021-05-20},
organization = {Github (microsoft)},
url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries},
language = {English},
urldate = {2021-05-25}
}
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy |
2021-05-07 ⋅ TEAMT5 ⋅ Jhih-Lin Kuo, Zih-Cing Liao @techreport{kuo:20210507:we:cd620c1,
author = {Jhih-Lin Kuo and Zih-Cing Liao},
title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf},
language = {English},
urldate = {2021-09-14}
}
"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality FlowerPower Appleseed BabyShark GoldDragon NavRAT |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2020-12-15 ⋅ KISA ⋅ KrCERT @techreport{krcert:20201215:operation:4784750,
author = {KrCERT},
title = {{Operation MUZABI}},
date = {2020-12-15},
institution = {KISA},
url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf},
language = {Korean},
urldate = {2021-06-04}
}
Operation MUZABI Appleseed |
2020-12-15 ⋅ KISA ⋅ KISA @techreport{kisa:20201215:operation:3972195,
author = {KISA},
title = {{Operation MUZABI}},
date = {2020-12-15},
institution = {KISA},
url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf},
language = {Korean},
urldate = {2020-12-16}
}
Operation MUZABI Kimsuky |
2020-11-04 ⋅ ESTsecurity ⋅ Alyac @online{alyac:20201104:apt:668b6b4,
author = {Alyac},
title = {{북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처}},
date = {2020-11-04},
organization = {ESTsecurity},
url = {https://blog.alyac.co.kr/3352},
language = {Korean},
urldate = {2020-11-04}
}
북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처 BabyShark |
2020-11-02 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman @online{dahan:20201102:back:64a6991,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}},
date = {2020-11-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite},
language = {English},
urldate = {2020-11-02}
}
Back to the Future: Inside the Kimsuky KGH Spyware Suite BabyShark GoldDragon KGH_SPY Kimsuky |
2020-10-27 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201027:alert:cd5c1eb,
author = {US-CERT},
title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}},
date = {2020-10-27},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a},
language = {English},
urldate = {2023-02-09}
}
Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky BabyShark GREASE MECHANICAL Meterpreter Kimsuky |
2020-09-04 ⋅ VB Localhost ⋅ Sveva Vittoria Scenarelli @techreport{scenarelli:20200904:to:f6dd57b,
author = {Sveva Vittoria Scenarelli},
title = {{To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission}},
date = {2020-09-04},
institution = {VB Localhost},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf},
language = {English},
urldate = {2021-04-30}
}
To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission FlowerPower |
2020-06-12 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20200612:probable:89a5bed,
author = {ThreatConnect Research Team},
title = {{Probable Sandworm Infrastructure}},
date = {2020-06-12},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure},
language = {English},
urldate = {2020-06-16}
}
Probable Sandworm Infrastructure Avaddon Emotet Kimsuky |
2020-03-10 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang @online{kim:20200310:kimsuky:f634a21,
author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang},
title = {{Kimsuky group: tracking the king of the spear phishing}},
date = {2020-03-10},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/},
language = {English},
urldate = {2020-09-23}
}
Kimsuky group: tracking the king of the spear phishing Kimsuky MyDogs |
2020-03-09 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli @online{mcconkey:20200309:tracking:1979cbf,
author = {Kris McConkey and Sveva Vittoria Scenarelli},
title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}},
date = {2020-03-09},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html},
language = {English},
urldate = {2021-05-03}
}
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1 BabyShark MyDogs Kimsuky |
2020-03-09 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli @online{mcconkey:20200309:tracking:5a16ab4,
author = {Kris McConkey and Sveva Vittoria Scenarelli},
title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2}},
date = {2020-03-09},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html},
language = {English},
urldate = {2020-07-13}
}
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2 BabyShark MyDogs Kimsuky |
2020-03-04 ⋅ MetaSwan's Lab ⋅ MetaSwan @online{metaswan:20200304:kimsuky:86badd0,
author = {MetaSwan},
title = {{Kimsuky group's resume impersonation malware}},
date = {2020-03-04},
organization = {MetaSwan's Lab},
url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware},
language = {English},
urldate = {2020-03-06}
}
Kimsuky group's resume impersonation malware Kimsuky |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-02-19 ⋅ Lexfo ⋅ Lexfo @techreport{lexfo:20200219:lazarus:f293c37,
author = {Lexfo},
title = {{The Lazarus Constellation A study on North Korean malware}},
date = {2020-02-19},
institution = {Lexfo},
url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf},
language = {English},
urldate = {2020-03-11}
}
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
2020-02-18 ⋅ PWC UK ⋅ Kris McConkey, Sveva Vittoria Scenarelli @online{mcconkey:20200218:tracking:b1acf1a,
author = {Kris McConkey and Sveva Vittoria Scenarelli},
title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}},
date = {2020-02-18},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html},
language = {English},
urldate = {2020-02-26}
}
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1 Kimsuky |
2019-12-18 ⋅ US District Court for the Eastern District of Virginia @online{virginia:20191218:microsoft:0576bc3,
author = {US District Court for the Eastern District of Virginia},
title = {{MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS}},
date = {2019-12-18},
url = {https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1},
language = {English},
urldate = {2020-04-28}
}
MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS BabyShark Kimsuky |
2019-11-14 ⋅ Youtube (mitrecorp) ⋅ Karl Scheuerman, Piotr Wojtyla @online{scheuerman:20191114:mitre:45c59cb,
author = {Karl Scheuerman and Piotr Wojtyla},
title = {{MITRE ATT&CKcon 2.0: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK}},
date = {2019-11-14},
organization = {Youtube (mitrecorp)},
url = {https://youtu.be/hAsKp43AZmM?t=1027},
language = {English},
urldate = {2020-04-28}
}
MITRE ATT&CKcon 2.0: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK Kimsuky |
2019-10-04 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-ju Kwak, Min-Chang Jang @techreport{kim:20191004:kimsuky:5780914,
author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang},
title = {{Kimsuky group: tracking the king of the spear-phishing}},
date = {2019-10-04},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf},
language = {English},
urldate = {2020-09-23}
}
Kimsuky group: tracking the king of the spear-phishing Kimsuky |
2019-09-11 ⋅ Prevailion ⋅ Danny Adamitis, Elizabeth Wharton @online{adamitis:20190911:autumn:8bec4cb,
author = {Danny Adamitis and Elizabeth Wharton},
title = {{Autumn Aperture}},
date = {2019-09-11},
organization = {Prevailion},
url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html},
language = {English},
urldate = {2020-06-08}
}
Autumn Aperture Kimsuky |
2019-06-10 ⋅ ESTsecurity ⋅ Alyac @online{alyac:20190610:special:f4e2a26,
author = {Alyac},
title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}},
date = {2019-06-10},
organization = {ESTsecurity},
url = {https://blog.alyac.co.kr/2347},
language = {Korean},
urldate = {2020-03-17}
}
[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common Kimsuky |
2019-02-25 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190225:how:d4a68d6,
author = {Kevin Perlow},
title = {{How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group}},
date = {2019-02-25},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/},
language = {English},
urldate = {2020-05-19}
}
How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group NavRAT |
2019-02-22 ⋅ Twitter ⋅ 0xffff0800 @online{0xffff0800:20190222:pe:ea39c56,
author = {0xffff0800},
title = {{Tweet on PE}},
date = {2019-02-22},
organization = {Twitter},
url = {https://twitter.com/i/web/status/1099147896950185985},
language = {English},
urldate = {2020-01-08}
}
Tweet on PE BabyShark |
2019-02-22 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20190222:new:7bda906,
author = {Unit 42},
title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}},
date = {2019-02-22},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/},
language = {English},
urldate = {2020-01-07}
}
New BabyShark Malware Targets U.S. National Security Think Tanks BabyShark Kimsuky |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:kimsuky:828a4d5,
author = {Cyber Operations Tracker},
title = {{Kimsuky}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/kimsuky},
language = {English},
urldate = {2019-12-20}
}
Kimsuky Kimsuky |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:stolen:1489d7d,
author = {MITRE ATT&CK},
title = {{Group description: Stolen Pencil}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0086/},
language = {English},
urldate = {2019-12-20}
}
Group description: Stolen Pencil Kimsuky |
2018-12-05 ⋅ NetScout ⋅ ASERT Team @online{team:20181205:stolen:bc9dd60,
author = {ASERT Team},
title = {{STOLEN PENCIL Campaign Targets Academia}},
date = {2018-12-05},
organization = {NetScout},
url = {https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/},
language = {English},
urldate = {2020-01-08}
}
STOLEN PENCIL Campaign Targets Academia GREASE MECHANICAL |
2018-12-05 ⋅ NetScout ⋅ ASERT Team @online{team:20181205:stolen:0f87971,
author = {ASERT Team},
title = {{STOLEN PENCIL Campaign Targets Academia}},
date = {2018-12-05},
organization = {NetScout},
url = {https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia},
language = {English},
urldate = {2020-01-05}
}
STOLEN PENCIL Campaign Targets Academia Kimsuky |
2018-05-31 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères, Jungsoo An @online{mercer:20180531:navrat:bf68765,
author = {Warren Mercer and Paul Rascagnères and Jungsoo An},
title = {{NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea}},
date = {2018-05-31},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/05/navrat.html?m=1},
language = {English},
urldate = {2020-01-08}
}
NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea NavRAT |
2013-09-11 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov @online{tarakanov:20130911:kimsuky:cce4ab2,
author = {Dmitry Tarakanov},
title = {{The “Kimsuky” Operation: A North Korean APT?}},
date = {2013-09-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/},
language = {English},
urldate = {2019-12-20}
}
The “Kimsuky” Operation: A North Korean APT? Kimsuky |