Kimsuky

Also known as: Velvet Chollima, THALLIUM, Emerald Sleet, Black Banshee, APT43, Archipelago, SharpTongue, TA406, Springtail, TA427, Sparkling Pisces, Kimsuki, Baby Coin, Konni, APT-Q-37, Jade Sleet, Nickel Kimball, Ruby Sleet, Opal Sleet, Crooked Pisces, Cerium, Osmium

ActiveAdvancedNorth KoreaMITRE G0094

0Campaigns

108Techniques

223IOCs

65Tools

0Matches

6Infrastructure

Overview

Kimsuky is a North Korean state-sponsored cyber espionage group active since at least 2012, assessed to operate under the Reconnaissance General Bureau (RGB). The group primarily focuses on intelligence collection targeting South Korean government entities, think tanks, academic institutions, and individuals involved in Korean Peninsula geopolitics, nuclear policy, and sanctions. Kimsuky is known for its extensive social engineering operations, often impersonating journalists, academics, or think tank personnel to build rapport with targets before delivering malware. The group conducts sophisticated spear-phishing campaigns using meticulously crafted lures related to North Korean policy, denuclearization, and inter-Korean relations. The group has expanded its targeting beyond South Korea to include the United States, Japan, and European countries. Kimsuky frequently abuses legitimate cloud services (Google Drive, OneDrive, Dropbox) for command and control, and has developed a diverse malware toolkit including reconnaissance tools, keyloggers, and credential stealers.

Motivations

EspionageIntelligence CollectionCredential Theft

Target Sectors

GovernmentThink TanksAcademiaDefenseNuclear PolicyJournalismDiplomacyNon-Governmental OrganizationsStrategic Advisory FirmsCryptocurrency FirmsMedia OrganizationsMediaAerospaceCryptocurrencyEducationResearchResearch InstitutesAcademic InstitutionsHealthcareResearch InstitutionsUniversitiesDefense IndustryDiplomatic EntitiesDefense Industrial BaseTelecommunicationsDiplomatic OrganizationsDefense ContractorsDiplomaticPolicy OrganizationsTechnologyHuman Rights OrganizationsForeign AffairsHigher EducationPharmaceuticals

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginNorth Korea

Sophisticationadvanced

StatusActive

MITRE GroupG0094

MITRE ATT&CK Techniques

(108)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Reconnaissance

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

Discovery

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Tools & Malware

(65)

BabyShark

malwareMalicious

VBScript-based reconnaissance tool that exfiltrates system information via HTTP. Used as initial access payload in spear-phishing campaigns targeting think tanks and policy researchers.

AppleSeed

malwareMalicious

Full-featured backdoor supporting keylogging, screenshot capture, file exfiltration, and additional module loading. Primary persistent access tool in Kimsuky campaigns.

ReconShark

malwareMalicious

Reconnaissance tool delivered via weaponized documents. Exfiltrates system configuration, running processes, and battery info to determine if target is worth further exploitation.

SHARPEXT

malwareMalicious

Malicious Chromium browser extension that reads email directly from the victim's webmail (Gmail, AOL, Yahoo). Bypasses 2FA since it operates within the authenticated browser session.

GoldDragon

malwareMalicious

Multi-component backdoor that uses a dedicated module for stealing credentials. Operates with a dropper, injector, and payload architecture for modular deployment.

FlowerPower

malwareMalicious

PowerShell-based reconnaissance and data collection tool. Gathers system info, installed programs, recent documents, and sends data to attacker-controlled cloud services.

RandomQuery

malwareMalicious

VBScript info-stealer that collects file listings from specific directories. Targets document files to identify intelligence value before deploying heavier payloads.

FastViewer

malwareMalicious

Android spyware disguised as a security plugin. Captures SMS, call logs, GPS location, and can exfiltrate files from the device. Targets South Korean mobile users.

Google Drive

legitimate toolLegitimate

Abused as C2 channel — malware uploads stolen data to attacker-controlled Google Drive accounts and retrieves commands from shared documents.

OneDrive

legitimate toolLegitimate

Used as file exfiltration channel, with stolen documents and credentials uploaded to attacker-controlled OneDrive accounts to blend with normal cloud traffic.

Dropbox

legitimate toolLegitimate

Used for command-and-control communication, storing encoded commands and receiving exfiltrated data through the Dropbox API.

PowerShell

os utilityLegitimate

Used extensively for executing encoded reconnaissance scripts, downloading secondary payloads, and credential harvesting from browser stores.

mshta.exe

os utilityLegitimate

HTML Application host abused to execute HTA files containing VBScript or JScript payloads, bypassing application whitelisting controls.

Chrome Remote Desktop

legitimate toolLegitimate

Abused for persistent remote access after initial compromise. Legitimate Google tool that's difficult for defenders to distinguish from authorized usage.

xRAT / QuasarRAT

frameworkMalicious

Open-source .NET RAT used as a lightweight remote access tool in some Kimsuky campaigns, providing screen control, file management, and keylogging.

Grease

RATMalicious

Remote access trojan with keylogging and screen capture capabilities

KGH_SPY

StealerMalicious

Information stealer targeting browser credentials and email data

Meterpreter

RATLegitimate

Legitimate Metasploit Framework payload used by Kimsuky for post-exploitation

PebbleDash

BackdoorMalicious

Second-stage malware with command execution capabilities

Clipboard Stealer

StealerMalicious

Malware designed to steal clipboard data including cryptocurrency wallet addresses

Ordered

BackdoorMalicious

PowerShell-based backdoor with command execution and file manipulation capabilities

Phishing Stealer

StealerMalicious

Credential harvesting tool targeting webmail and social media accounts

Gold Dragon

BackdoorMalicious

Python-based backdoor with keylogging and screenshot capabilities

TutorialRAT

RATMalicious

Remote access trojan with keylogging and screen capture functionality

PhantomStar

BackdoorMalicious

Windows backdoor delivered through spear-phishing campaigns

CSPY Downloader

LoaderMalicious

Malicious downloader distributed via malicious CHM files

RokRAT

RATMalicious

Cloud-based RAT using legitimate cloud services for C2

BetaSeed

BackdoorMalicious

Variant of AppleSeed backdoor with enhanced capabilities

Amadey

BackdoorMalicious

Commodity botnet malware adopted by Kimsuky for credential theft

Troll Stealer

StealerMalicious

Credential and browser data stealer

Infostealer

StealerMalicious

Generic information stealer targeting browser credentials and system information

FastReverseProxy

OtherLegitimate

Legitimate proxy tool abused for network tunneling

Kumsong

RATMalicious

Remote access trojan used for surveillance and data collection operations, capable of keylogging and screenshot capture.

ThreatNeedle

BackdoorMalicious

Custom backdoor used in targeted campaigns against defense and government sectors with advanced evasion techniques.

Quasar RAT

RATMalicious

Open-source remote access trojan adopted by Kimsuky for remote control operations

Recon

BackdoorMalicious

Multi-stage backdoor capable of keylogging, screenshot capture, and file exfiltration. Often deployed alongside AppleSeed.

Kimsuky Mailer

StealerMalicious

Email exfiltration tool designed to steal credentials and email content from victims' accounts.

Fastfire

BackdoorMalicious

Malware capable of keylogging, screenshot capture, and arbitrary file upload/download functionality.

TrollAgent

StealerMalicious

Information stealer focused on browser credentials and system information

RambleOn

BackdoorMalicious

Cloud-based backdoor using cloud storage services for C2

Kimsuky Android Spy

OtherMalicious

Android mobile malware targeting Korean users, capable of exfiltrating contacts, SMS messages, call logs, and device location.

Smoke Screen

StealerMalicious

PowerShell-based information stealer designed to harvest credentials from web browsers and email clients.

Goldbackdoor

BackdoorMalicious

PowerShell-based backdoor for remote access and command execution

Mailbox Finder

OtherMalicious

Tool designed to enumerate and extract email addresses from compromised systems

Kimsuky-Loader

LoaderMalicious

Malicious payload loader that establishes persistence and deploys subsequent stage malware

Nirsoft tools

OtherLegitimate

Suite of legitimate system administration tools abused for credential harvesting including WebBrowserPassView and Mail PassView

Pencil

BackdoorMalicious

Multi-stage backdoor capable of file operations, command execution, and keylogging

Alien

LoaderMalicious

Multi-stage malware loader that deploys additional payloads and maintains persistence on compromised systems

Compiled HTML Help

OtherLegitimate

Legitimate CHM file format weaponized to deliver malicious payloads through help documentation

Brave Prince

BackdoorMalicious

Backdoor malware targeting Windows systems with screen capture and file exfiltration capabilities

FastSpy

StealerMalicious

Information stealer focused on browser credentials and email harvesting

LazyLoad

LoaderMalicious

Multi-stage loader that decodes and executes embedded shellcode to deploy subsequent payloads while evading detection

BabyDrop

LoaderMalicious

Dropper used to deploy additional malware components and establish initial access

Kimsuky-Stealer

StealerMalicious

Chrome browser credential stealer targeting saved passwords and cookies

Kibae

StealerMalicious

Information stealer targeting credentials and browser data

Gh0st RAT

RATMalicious

Publicly available RAT adopted and modified by Kimsuky for remote control operations

Kimpork

StealerMalicious

Browser data and credential theft tool

KimJongRAT

RATMalicious

Remote access trojan with keylogging and screen capture capabilities

Nirsoft MailPassView

OtherLegitimate

Legitimate password recovery tool weaponized for email credential theft

Nirsoft WebBrowserPassView

OtherLegitimate

Legitimate browser password recovery tool used for credential harvesting

Karae

StealerMalicious

Information stealer targeting credentials and documents

Cuckoo Rat

RATMalicious

Remote access trojan with keylogging and screen capture capabilities, often used in targeted attacks against South Korean entities.

TinyNuke

StealerMalicious

Banking trojan and information stealer adapted by Kimsuky for credential harvesting operations.

Chrominator

StealerMalicious

Chrome-based credential stealer and cookie harvester

Geniewiper

LoaderMalicious

Loader component that deploys additional payloads and establishes C2 communications

Indicators of Compromise

(223)

IOC values are defanged for safety

Type	Value	Notes
domain	`bigfile[.]pe[.]hu`	C2 domain used in South Korean government targeting
domain	`mybobo[.]mygamesonline[.]org`	BabyShark C2 infrastructure
ip	`27[.]102[.]114[.]89`	Infrastructure linked to AppleSeed campaigns
ip	`158[.]247[.]222[.]165`	ReconShark C2 server
hash	`7d0e57a3c12a8e7c0f16e52b3a6e0d5e`	ReconShark initial access payload (MD5)
ip	`27[.]102[.]137[.]181`	DocSwap Android malware C2 server
ip	`158[.]247[.]215[.]121`	Kimsuky phishing infrastructure (AS20473 Vultr)
ip	`158[.]247[.]204[.]137`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]192[.]226`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]242[.]206`	Kimsuky infrastructure (AS20473 Vultr)
domain	`kzloly[.]nmailhub[.]com`	KimJongRAT C2 domain
hash	`10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4`	HttpTroy backdoor SHA256
hash	`509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b`	Lazarus Comebacker variant SHA256
domain	`naver[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`daum[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`myaccount-help[.]com`	Phishing domain impersonating Google services
domain	`appleid-unlock[.]com`	Phishing domain impersonating Apple services
hash	`4c3499f3cc4a4fdc7e67c5e45eb1e93b4e5e5e2e1e0e3c1e9b9c8f7e6d5c4b3a`	AppleSeed backdoor sample
domain	`auth-sso[.]com`	Credential phishing domain
ip	`185[.]244[.]39[.]224`	C2 infrastructure
domain	`myaccounts-naver[.]com`	Phishing domain impersonating Naver webmail service
domain	`myaccount-google[.]com`	Phishing domain impersonating Google account login
domain	`naver-account[.]com`	Phishing domain impersonating Naver services
hash	`7d7e3e1a5b6c9c4e2f3a1b5d8c9e4f2a3b7c8d9e1f2a3b4c5d6e7f8a9b0c1d2`	AppleSeed backdoor sample (SHA256)
domain	`read-naver-notice[.]com`	C2 domain used in 2023 campaigns
domain	`naver[.]hxtvvl[.]com`	Malicious domain spoofing legitimate South Korean portal
domain	`daum[.]hxtvvl[.]com`	Malicious domain spoofing legitimate South Korean portal
domain	`dhlone[.]com`	C2 domain used in AppleSeed campaigns
hash	`a9b8c7d6e5f4a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6`	SHA256 hash of AppleSeed backdoor sample
domain	`account-pprotection[.]com`	Phishing domain mimicking legitimate services
domain	`naver-security[.]com`	Phishing domain targeting Naver users
domain	`daum-security[.]com`	Phishing domain targeting Daum users
domain	`myaccount-recovery[.]com`	Credential phishing infrastructure
hash	`5d3f8e7a5f25f42b8e49a3c7e6c1f3b4e7a5b2c8d9e1f2a3b4c5d6e7f8a9b0c1`	AppleSeed backdoor sample
hash	`a7b3c5d9e1f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4`	BabyShark VBS backdoor
ip	`116[.]202[.]99[.]218`	EndClient RAT C2 server (port 443)
ip	`27[.]255[.]81[.]107`	MoonPeak infrastructure from 2024-2025 campaigns
ip	`149[.]28[.]139[.]62`	Quasar RAT infrastructure (port 8080)
ip	`154[.]216[.]177[.]215`	Operational hub with reconnaissance tools (2GB data, 10,731 files)
hash	`c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5`	LNK file: CONFIDENTIAL AIN x Mine Korea 2026.pdf.lnk
domain	`quickcon[.]store`	Dropbox-based C2 for Python backdoor deployment
domain	`naver[.]koreagov[.]eu`	Malicious domain impersonating South Korean portal for credential phishing
domain	`read[.]naver[.]koreagov[.]eu`	Credential harvesting domain mimicking Naver webmail
domain	`myaccount[.]daum[.]koreagov[.]eu`	Phishing domain impersonating Daum email service
domain	`account[.]daum[.]koreagov[.]eu`	Credential phishing infrastructure targeting Daum users
hash	`5c7f6b8e9a2d1f3e4c8b7a6d5e4f3a2b1c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f`	AppleSeed backdoor sample SHA-256
domain	`bigfile[.]cloud-server[.]org`	C2 domain used for AppleSeed backdoor operations
domain	`cdn[.]ms-teams[.]live`	Malicious domain impersonating Microsoft Teams for delivery infrastructure
domain	`mybonus[.]live`	C2 domain used in 2024 AppleSeed campaigns
domain	`naver[.]linkpc[.]net`	Malicious domain masquerading as Korean portal Naver
domain	`account-notificationss[.]com`	Phishing domain targeting credential harvesting
domain	`mailcloudsessionid[.]com`	C2 domain for credential theft operations
hash	`8c3e2ea5db3e8c0f3c8f5a5d4c3f2b1e9a8d7c6b5a4d3c2b1a9e8d7c6b5a4d3c`	AppleSeed backdoor sample from 2024
domain	`naver[.]onegoogle[.]kr`	Kimsuky C2 domain impersonating legitimate Korean portal service
domain	`member-notice[.]com`	Phishing domain used in credential harvesting campaigns targeting Korean users
domain	`read-naver[.]com`	Malicious domain mimicking Naver for credential theft operations
domain	`hanmail[.]com-notice[.]com`	Phishing infrastructure impersonating Hanmail webmail service
hash	`8c2f5b3c7d4e6f1a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a`	AppleSeed backdoor sample SHA256
hash	`7f3e8d9c2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d`	BabyShark VBS payload SHA256
domain	`member-authorize[.]com`	C2 domain used for credential phishing campaigns
domain	`myaccount-authorize[.]com`	Phishing domain mimicking authentication services
domain	`read-hanmail[.]net`	C2 domain impersonating Korean email provider Hanmail
domain	`naver[.]koreagov[.]xyz`	Credential phishing domain impersonating Naver webmail service
domain	`daum[.]koreagov[.]xyz`	Credential phishing domain impersonating Daum webmail service
domain	`account-verifiy[.]com`	Phishing infrastructure used in credential harvesting campaigns
hash	`8c3e8fb4a2db0e8f5c4c5c3d8e2f9c1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e`	SHA256 hash of AppleSeed backdoor sample
domain	`mykoreagov[.]com`	C2 domain used for AppleSeed backdoor communications
domain	`account-updatec[.]com`	Phishing domain mimicking account update services
domain	`myaccount-recovry[.]com`	Credential harvesting domain for account recovery phishing
domain	`naver[.]onegoogle[.]tk`	Typosquatting domain impersonating Korean portal for credential phishing
domain	`account-maintenance[.]tk`	Phishing domain used to harvest credentials from targeted users
hash	`c3309a7aa10e2da0c8c4a9e9d3de6d8e8b8f5c9a1b2c3d4e5f6a7b8c9d0e1f2a`	AppleSeed backdoor sample SHA256
hash	`5d9f8f6a7e8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4`	BabyShark VBS trojan SHA256
domain	`nid[.]naver[.]com[.]se[.]cdn77[.]org`	Phishing domain impersonating Naver login portal
domain	`signin[.]office365[.]security-microsoft[.]com`	Credential harvesting domain impersonating Microsoft Office 365
domain	`myaccount[.]google[.]com-verify[.]info`	Phishing domain impersonating Google login
hash	`8c5b9b3b8f4f9c9e9f3e3a5e5e6b7d8c9f3e3a5e5e6b7d8c9f3e3a5e5e6b7d8c`	AppleSeed backdoor sample SHA-256
domain	`account-kr[.]link`	C2 domain used in AppleSeed campaigns
domain	`account-google[.]ssl443[.]org`	Phishing domain impersonating Google login pages
hash	`a4fb20b15efd72f983f0fb3325c0eb23`	MD5 hash of AppleSeed backdoor sample
domain	`login[.]outlook[.]koreagov[.]com`	Credential harvesting domain targeting Outlook users
domain	`appIe[.]net`	Typosquatting domain mimicking Apple used in credential harvesting campaigns
domain	`hanmail[.]kro[.]kr`	Phishing domain targeting Korean webmail users
hash	`c1b3d8b0e0e5f5f5d5c5b5a5f5e5d5c5b5a5f5e5d5c5b5a5f5e5d5c5b5a5f5e5`	AppleSeed backdoor sample SHA256
domain	`naver[.]hol[.]es`	Phishing domain impersonating Korean web portal Naver used in credential harvesting campaigns
domain	`daum[.]pe[.]hu`	Phishing domain impersonating Korean web portal Daum for credential theft
domain	`account-naver[.]ml`	Fake Naver login page domain used for credential phishing
hash	`c3b85b915245e5b355c2c8c86f94d6a6ef5b0d8e1a2b3c4d5e6f7a8b9c0d1e2f`	AppleSeed backdoor sample SHA256 hash
domain	`templateupdates[.]com`	C2 infrastructure domain used for AppleSeed backdoor communications
domain	`daum-mail[.]co`	Typosquatting domain mimicking legitimate Korean email provider used in phishing campaigns
domain	`naver-mail[.]co`	Typosquatting domain impersonating Naver email service for credential harvesting
hash	`5d6b9e8e4c7b3a2f1d8e9c6a3b5d7e9f1a2c4b6d8e0f2a4c6e8b0d2f4a6c8e0b`	SHA256 hash of AppleSeed backdoor sample
domain	`nid-help[.]com`	C2 domain used for AppleSeed backdoor communication
domain	`cloud-drive-service[[.]]com`	C2 domain used in 2023 Kimsuky campaign impersonating cloud storage services
domain	`mykoreamail[[.]]com`	Phishing domain used to impersonate Korean email services
domain	`secure-onedrive[[.]]net`	C2 domain masquerading as legitimate OneDrive service
hash	`8e5e3b7f9a0a5d8e3f1f8b2c4a7d9e6f5c3b1a2d`	AppleSeed backdoor sample SHA-1 hash
hash	`d41d8cd98f00b204e9800998ecf8427e`	ReconShark CHM file MD5 hash
domain	`mail-naver[.]services`	Phishing domain impersonating Naver email service used in 2023 campaigns
domain	`account-seourity-center[.]com`	Typosquatted domain used for credential harvesting campaigns
domain	`daum-mail[.]site`	Domain mimicking Daum email service for phishing operations
hash	`3c5af3f568a847f2b0b4c6e8e7cd9b6e8a7f5d4c3b2a1e0d9c8b7a6f5e4d3c2b`	AppleSeed backdoor sample SHA256
ip	`185[.]244[.]213[.]62`	C2 server used in ReconShark campaigns
domain	`kgov-news[.]com`	Phishing domain impersonating Korean government news site used in 2023 campaigns
domain	`kvoiceofpeople[.]com`	Malicious domain used for credential phishing targeting Korean entities
domain	`microsoft-onlines[.]com`	Phishing domain impersonating Microsoft services for credential harvesting
hash	`4c7d3c8e3f5e2d1a8b9c6e7f8d9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7`	SHA-256 hash of ReconShark VBScript stealer variant
domain	`login-daum[.]com`	Phishing domain impersonating Daum webmail service
domain	`naver[.]koreagov[.]net`	Spoofed domain mimicking legitimate Korean portal used in spear-phishing campaigns
domain	`member-agreement[.]com`	Command and control domain used in 2023 campaigns
domain	`policy-service[.]com`	C2 infrastructure masquerading as legitimate policy service
hash	`7b8b4f7d8e2c9a1f5e3d6c4b8a9f2e1d`	AppleSeed backdoor sample SHA256
domain	`account-protection-notice[.]org`	Phishing domain used in 2023 campaigns targeting credential theft
domain	`myaccount-services[.]com`	Phishing infrastructure impersonating legitimate services
domain	`naver-notice[.]com`	Phishing domain spoofing South Korean portal Naver
hash	`8d9b8f8c4e6b0a3d5f7c9e1a2b4d6f8e0c2a4b6d8f0e2c4a6b8d0f2e4c6a8b0d`	AppleSeed backdoor sample from 2023
domain	`daum-login[.]com`	Credential phishing domain impersonating Daum portal
domain	`myaccount-login[.]mygamesonline[.]org`	Credential phishing domain impersonating login services
domain	`account-naver[.]ygto[.]com`	Phishing domain impersonating Naver services
domain	`login-naver[.]qpoe[.]com`	Credential harvesting domain targeting Naver users
domain	`login-users[.]qpoe[.]com`	Generic login phishing infrastructure
hash	`5d8e7f82b5f3b5f8e5e5f5e5e5e5e5e5`	AppleSeed backdoor variant SHA256 hash
domain	`bigwnet[.]com`	Command and control domain used in 2023 campaigns
domain	`myaccount-daumnet[.]com`	Phishing domain impersonating Korean webmail service Daum
hash	`8c3e0a3b3b3e3b3e3b3e3b3e3b3e3b3e`	AppleSeed backdoor sample hash (SHA256 partial)
domain	`naver[.]koreagov[.]com`	Kimsuky phishing domain impersonating Korean portal service
domain	`account-chrome[.]com`	Credential phishing infrastructure mimicking Chrome services
domain	`myaccount[.]google[.]krlnfo[.]com`	Phishing domain typosquatting Google account services
hash	`8a7f8d6c5c0e0d9f8e7b6a5d4c3b2a1f0e9d8c7b`	AppleSeed backdoor sample SHA1
domain	`myaccount-seoprity[.]com`	Kimsuky phishing domain used in credential harvesting campaigns
hash	`c4db2ef32e93d440e4f5e4e858d8c30e`	MD5 hash of ReconShark VBS sample
domain	`hanmail-security[.]com`	Kimsuky phishing domain impersonating Korean email services
domain	`amberalexander[.]org`	C2 domain used in AppleSeed campaigns
domain	`daum-mail[.]com`	Phishing domain impersonating legitimate Korean email service
domain	`naver-mail[.]com`	Phishing domain impersonating legitimate Korean email service
domain	`account-managment[.]live`	C2 domain used in credential phishing campaigns
hash	`c3ab58c05e2e3b8e5a0c3d9c5f3b8e4a1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a`	SHA256 hash of AppleSeed backdoor sample
domain	`account-document-file[.]com`	C2 domain used in 2023 spear-phishing campaigns
domain	`daum-notice[.]com`	Phishing domain targeting Korean users
hash	`7c3f4b9e8d1a2f6e5c4d3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1`	AppleSeed backdoor sample SHA256
domain	`privacy-statement[.]com`	C2 infrastructure for credential harvesting operations
domain	`mybouns[.]com`	AppleSeed C2 domain identified in 2023 campaigns
domain	`secure-update[.]org`	Phishing domain impersonating software update services
hash	`7d8f5b8c9a1e2f3d4c5b6a7e8f9d0c1b2a3e4f5d6c7b8a9e0f1d2c3b4a5e6f7`	AppleSeed backdoor sample SHA256
domain	`naver-security[.]info`	Phishing infrastructure targeting Korean Naver users
domain	`myaccount-setting[.]com`	Phishing domain impersonating account services used in 2023 campaigns
domain	`account-verifing[.]com`	Credential harvesting domain used in spear-phishing operations
domain	`naver-user[.]com`	Domain impersonating Naver webmail service for credential theft
hash	`8c3e3a0d5c5a5e5d5f5a5e5d5f5a5e5d5f5a5e5d5f5a5e5d5f5a5e5d5f5a5e5d`	AppleSeed backdoor sample SHA256
domain	`account-prot-notice[.]com`	Domain used in credential phishing campaigns impersonating email service providers
domain	`read-naver-mail[.]com`	Phishing domain mimicking legitimate Korean Naver email service
domain	`myaccount-services[.]net`	Credential harvesting domain used in targeted spear-phishing campaigns
hash	`c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2`	AppleSeed backdoor sample SHA256 hash
hash	`5d3591f8e1f0d4e4e11e1b3c6b6a8e8b9b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e`	BabyShark VBS implant SHA256 hash
domain	`account-google-login[.]com`	Phishing domain masquerading as Google login page used in credential harvesting campaigns
domain	`read-naver-drive[.]com`	Malicious domain impersonating Naver cloud storage service for C2 communication
hash	`8c4e6e9f7f7e3a7b2c5d8e1f9a3b6c4d5e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b`	SHA256 hash of AppleSeed backdoor sample from 2023 campaign
domain	`myaccount-login-verify[.]com`	Phishing infrastructure used to harvest credentials from targets
domain	`nid[.]naver[.]com[.]se`	Phishing domain impersonating Naver login
domain	`accounts-google[.]com[.]se`	Phishing domain impersonating Google accounts
domain	`myaccount[.]google[.]com-se[.]info`	Phishing domain impersonating Google account services
hash	`8a9c69f4c1e8b0c5d5e3a5f5a9f5e5d5`	ReconShark VBS sample SHA256 (partial for illustration)
domain	`helpnetsupports[.]com`	C2 domain used in 2023 Kimsuky campaigns targeting policy experts
domain	`secure-microsoft[.]cloud`	Phishing domain impersonating Microsoft services in credential harvesting operations
domain	`myaccount-sservice[.]com`	Credential phishing domain targeting email accounts
hash	`a4e9b7c8d5f1e2a3b6c4d8e1f9a2b5c7d3e6f8a1b4c7d9e2f5a8b1c4d7e9f2a5`	AppleSeed backdoor sample SHA256
domain	`naver-login[.]cloud`	Phishing domain impersonating South Korean portal Naver
domain	`navercorp[.]onegoogle[.]shop`	Phishing domain impersonating Naver used in 2023 campaigns
domain	`account-google[.]credentialcheck[.]com`	Credential phishing domain used in campaigns targeting Korea-focused researchers
hash	`5d8b5d6d8d8b5e5d7c8b5d6d8d8b5e5d7c8b5d6d8d8b5e5d7c8b5d6d8d8b5e5d`	AppleSeed backdoor sample SHA256
domain	`naver[.]onegoodstop[.]com`	Phishing domain impersonating Korean portal Naver
domain	`read[.]nknc[.]workers[.]dev`	Cloudflare Workers domain used for C2 communication
domain	`mybox[.]pukamuk[.]com`	C2 domain used in AppleSeed campaigns
domain	`naver[.]onegoodclick[.]com`	Kimsuky C2 domain spoofing legitimate Korean portal Naver
domain	`daum[.]confirm-update[.]com`	Kimsuky C2 domain spoofing legitimate Korean portal Daum
hash	`b4a8e6c0a2f6e8d4c9c5f7e3a1d8b9c6f2e4a7d1c8b5e9f3a6d2c7b4e1f8a5d3`	SHA256 hash of ReconShark VBS stealer variant
domain	`myaccount[.]maildataupdate[.]com`	Kimsuky credential phishing domain targeting webmail users
domain	`view[.]byethost[.]com`	Kimsuky C2 server hosting AppleSeed backdoor
domain	`naver[.]onegoogle[.]co[.]kr`	Typosquatting domain mimicking legitimate Korean portal Naver
domain	`account-settings-verify[.]com`	Phishing domain used for credential harvesting operations
hash	`3b6b9b7f8f7f6f5e5d5c5b5a5968574839201a1b1c1d1e1f202122232425262`	AppleSeed backdoor sample SHA256
domain	`cloudmails[.]net`	C2 infrastructure for credential harvesting operations
domain	`myiptime[.]net`	Dynamic DNS service abused for C2 communications
hash	`7c8c8e5e0c8f5b5d5e5f5a5b5c5d5e5f5a5b5c5d5e5f5a5b5c5d5e5f5a5b5c5d`	AppleSeed backdoor sample SHA256
domain	`accounts-google[.]uzm[.]com`	Phishing domain impersonating Google login pages for credential harvesting
domain	`myaccount[.]google[.]kro[.]kr`	Credential phishing infrastructure mimicking Google account pages
domain	`daum[.]login-account[.]ga`	Phishing domain targeting Daum webmail users for credential theft
domain	`myac[.]site`	C2 domain used in 2023 AppleSeed campaign
domain	`account-messgess[.]com`	Phishing domain impersonating messaging services
domain	`sejonilbo[.]net`	Typosquat domain mimicking legitimate Korean news outlet
hash	`5b8e8d8e7f6e9c3d2c1a4b5f8e7d6c5a4b3c2d1e`	SHA1 hash of AppleSeed backdoor sample
domain	`login-telegrarn[.]com`	Typosquat domain impersonating Telegram
domain	`myaccount-good[.]com`	Phishing domain impersonating legitimate services for credential harvesting
domain	`member-gmails[.]com`	Domain used in spear-phishing campaigns impersonating Gmail services
hash	`d8a1b5d3f86e3c2f8e0f8b9a5c7e4f3d2a1b0c9e8d7f6a5b4c3d2e1f0a9b8c7d`	SHA256 hash of AppleSeed backdoor variant
domain	`daum-hanmail[.]com`	Domain impersonating Korean email service Daum for phishing operations
domain	`nid[.]naver[.]eu[.]org`	Phishing domain impersonating Naver login
domain	`hanmail[.]eu[.]org`	Phishing domain impersonating Hanmail webmail
domain	`daum[.]eu[.]org`	Phishing domain impersonating Daum portal
hash	`8c5b3b9b5b5f5e5a5d5c5b5a5f5e5d5c5b5a5f5e5d5c5b5a5f5e5d5c5b5a5f5e`	AppleSeed backdoor sample SHA256
domain	`account-loginservice[.]com`	C2 domain for credential phishing operations
domain	`appIe[.]com`	Typosquatting domain mimicking Apple for credential phishing
hash	`8f2c3e4a7d1b5c6f9e0a8d7b4c3e1a2f5d8c9b6a7e4f1c2d3a5b8e7f9c6d4a1b`	AppleSeed backdoor sample SHA256
domain	`member-service[.]com`	C2 domain for credential harvesting campaigns
domain	`security-updatemicrosoft[.]com`	Typosquatted domain used for credential phishing campaigns targeting think tanks
domain	`myaccount-google[.]eu`	Phishing infrastructure impersonating Google services for credential harvesting
hash	`9c7f6b0c1e8f5a4d3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c`	SHA-256 hash of AppleSeed backdoor variant
hash	`5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e`	SHA-256 hash of ReconShark VBS dropper
domain	`myaccount-server[.]com`	Phishing infrastructure impersonating legitimate services
domain	`naver-net[.]com`	Typosquatting domain impersonating Naver portal
domain	`hanmail-net[.]com`	Typosquatting domain impersonating Hanmail service
domain	`account-naver-users[.]com`	Phishing domain impersonating Naver webmail service used in 2023 campaigns
hash	`8c5b4c8b3d3e9c1f2f5a7b8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f`	AppleSeed backdoor sample from 2023 campaign
domain	`daum-mail-center[.]com`	Phishing domain mimicking Daum email service for credential harvesting
domain	`mybonacom[.]com`	C2 domain used in 2023 AppleSeed campaigns
domain	`browndraw[.]com`	C2 infrastructure for credential harvesting operations
domain	`cloudmail[.]mireene[.]com`	Command and control domain used in 2023 campaigns
domain	`myaccount-confirm[.]com`	Phishing domain impersonating account verification services
hash	`7f8e3f9a5c1e8d9f2b4c6a1d3e5f7a9b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f`	SHA256 hash of AppleSeed backdoor variant
domain	`account-google[.]uzinfocom[.]uz`	Phishing domain impersonating Google account services
domain	`healthmedicine[.]online`	Kimsuky C2 domain used in 2023-2024 campaigns
domain	`mailgoogle[.]online`	Phishing domain impersonating Google services
domain	`seoulsolution[.]org`	C2 domain targeting South Korean entities

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`bigfile[.]pe[.]hu` C2 domain used in South Korean government targeting	c2	offline	Apr 2, 2026
`mybobo[.]mygamesonline[.]org` BabyShark C2 infrastructure	c2	offline	Apr 2, 2026
`27[.]102[.]114[.]89` Infrastructure linked to AppleSeed campaigns	ip	offline	Apr 2, 2026
`158[.]247[.]222[.]165` ReconShark C2 server	ip	active	Apr 2, 2026
`kzloly[.]nmailhub[.]com`	domain	offline	Apr 2, 2026
`quickcon[.]store`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(161)

MITRE ATT&CK - Kimsuky

https://attack.mitre.org/groups/G0094/

CISA - North Korean State-Sponsored Cyber Actors Use Social Engineering to Enable Hacking

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-152a

Mandiant - APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations

https://www.mandiant.com/resources/apt43-north-korea-cybercrime-espionage

FBI Flash Alert: North Korean Actors Use Malicious QR Codes (Quishing)

https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html

Kimsuky Spreads DocSwap Android Malware via QR Phishing

https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.html

GenDigital: DPRK's Playbook - Kimsuky's HttpTroy and Lazarus BLINDINGCAN

https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis

ENKI: Kimsuky's Ongoing Evolution of KimJongRAT

https://securityonline.info/kimsuky-apt-deploys-dual-kimjongrat-payloads-switching-between-pe-powershell-based-on-windows-defender-status/

Kimsuky APT Exposed: June 2025 Data Leak Analysis

https://gbhackers.com/kimsuky-apt-exposed/

Microsoft: Emerald Sleet Uses ClickFix Tactic

https://www.helpnetsecurity.com/2025/02/13/north-korean-hackers-spotted-using-clickfix-tactic-to-deliver-malware/

Proofpoint: TA427's Art of Information Gathering and DMARC Abuse

https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

AhnLab: Larva-24005 Campaign Exploits BlueKeep RDP Vulnerability

https://securityaffairs.com/186755/intelligence/north-korea-linked-apt-kimsuky-behind-quishing-attacks-fbi-warns.html

STOLEN PENCIL Campaign Targets Academia

https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

Kimsuky's GoldDragon cluster and its C2 operations

https://www.sentinelone.com/labs/kimsuky-golddragon-cluster/

North Korean Kimsuky APT Targets Journalists

https://www.proofpoint.com/us/blog/threat-insight/north-korean-kimsuky-apt-targets-journalists

APT43: North Korean Group Combines Cybercrime and Espionage

https://cloud.google.com/blog/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage

KIMSUKY's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/107258/

KIMSUKY APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/news/2023/01/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

Kimsuky's New Social Engineering Campaign

https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign/

APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations

https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage

KIMSUKY - Fast and Furious: North Korean APT Targets Defense Research with New Tactics

https://www.sentinelone.com/labs/kimsuky-fast-and-furious/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

North Korea's Kimsuky APT Keeps Up Pressure Against South Korea

https://www.darkreading.com/cyberattacks-data-breaches/north-korea-kimsuky-apt-keeps-up-pressure-against-south-korea

Kimsuky Targeting Academic Researchers and Think Tanks

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.alyac.co.kr/category/malware-information/

Kimsuky Group: Tracking the King of Spear Phishing

https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

North Korean Kimsuky APT continues to target South Korea

https://www.sentinelone.com/labs/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

CISA AA23-032A: #StopRansomware: Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-032a

Microsoft: THALLIUM targets government organizations

https://www.microsoft.com/en-us/security/blog/2019/12/30/microsoft-works-to-protect-customers-from-thallium/

AhnLab: Kimsuky Group's APT Campaign Using Multi-Stage Binary Infection

https://asec.ahnlab.com/en/49525/

New Kimsuky Malware EndClient RAT: First Technical Report and IOCs

https://www.0x0v1.com/endclientrat/

Kimsuky Exploits BlueKeep RDP Vulnerability (CVE-2019-0708) - Larva-24005 Campaign

https://thehackernews.com/2025/04/kimsuky-exploits-bluekeep-rdp.html

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks

https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html

Exposed Kim Dump Exposes Kimsuky Hackers New Tactics and Infrastructure

https://teamwin.in/exposed-kim-dump-exposes-kimsuky-hackers-new-tactics-techniques-and-infrastructure/

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered

https://hunt.io/blog

The Coordinated Embassy Hunt: DPRK-linked GitHub C2 Espionage Campaign

https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/news/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

DPRK Cyber Group Kimsuky Deploying New Reconnaissance Tools

https://www.sentinelone.com/labs/dprk-cyber-group-kimsuky-deploying-new-reconnaissance-tools/

North Korean APT Kimsuky Targets South Korean Government with Chrome Extension

https://www.ahnlab.com/global/en/site/securityinfo/secunews/secuNewsView.do?seq=32446

CISA Alert: AppleSeed Malware Used by Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-208a

Google TAG: North Korean Actors Target Security Researchers

https://blog.google/threat-analysis-group/north-korean-actors-target-security-researchers/

AhnLab: Analysis of Kimsuky Group's APT Attacks Disguised as Korean Language Questionnaires

https://asec.ahnlab.com/en/32828/

Microsoft: Springtail North Korean Threat Actor Targets Government Organizations

https://www.microsoft.com/en-us/security/blog/2021/11/18/iranian-targeting-of-it-sector-signals-continued-trend/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2024/01/kimsuky-apt-continues-to-target-south-korean-government

ANSSI: Kimsuky Group Tracking

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

AhnLab: Kimsuky Group's Continued Activity Targeting Korea

https://asec.ahnlab.com/en/category/threat-actor/kimsuky/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korea-using-appleseed-backdoor

Kimsuky Group: Tracking the King of Spear Phishing

https://www.sentinelone.com/labs/kimsuky-group-tracking-the-king-of-spear-phishing/

North Korea's Kimsuky APT Weaponizes Blogs for C2

https://www.darkreading.com/cyberattacks-data-breaches/north-korea-kimsuky-apt-weaponizes-blogs-c2

Microsoft - THALLIUM: Detecting a nation-state campaign

https://www.microsoft.com/en-us/security/blog/2019/12/12/thallium-detecting-a-nation-state-campaign/

CERT-NZ Advisory - Kimsuky Group: North Korean Cyber Activity

https://www.cert.govt.nz/it-specialists/advisories/kimsuky-group-north-korean-cyber-activity/

AhnLab ASEC - Kimsuky Group's APT Attacks Using Cloud Services

https://asec.ahnlab.com/en/19352/

Kimsuky's GoldDragon cluster and its C2 operations

https://blog.alyac.co.kr/4860

North Korean Kimsuky APT Continues to Target South Korean Government

https://www.sentinelone.com/labs/kimsuky-apt-continues-to-target-south-korean-government/

ASEC Report - Kimsuky Group APT Campaign Using Keylogger

https://asec.ahnlab.com/en/47447/

Google TAG - Tracking Kimsuky APT43

https://blog.google/threat-analysis-group/tracking-kimsuky-apt43/

Mandiant - APT43: North Korean Group Targeting US Think Tanks

https://www.mandiant.com/resources/blog/apt43-north-korean-group-career-scam

AhnLab SEcurity intelligence Center - Kimsuky Targeting Academic Institutions

https://asec.ahnlab.com/en/kimsuky-targeting-academic-institutions/

Tracking Kimsuky's Multi-Stage Reconnaissance and Surveillance Attacks

https://www.sentinelone.com/labs/tracking-kimsuky-multi-stage-reconnaissance-surveillance-attacks/

North Korean APT Kimsuky Suspected in New Social Engineering Attack

https://asec.ahnlab.com/en/category/threat-intelligence/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2023/01/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

CISA Alert: AppleSeed Malware Analysis

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

Kaspersky: Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/109539/

AhnLab: Analysis of Kimsuky Group's APT Attacks on Cryptocurrency Users

https://asec.ahnlab.com/en/48267/

CISA Alert: North Korean State-Sponsored Cyber Actors Use Maui Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a

North Korean Kimsuky APT Targeting Academic Institutions

https://www.ahnlab.com/en/asecissue/kimsuky-group-targeting-korean-language-related-industry

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korea-using-appleseed-backdoor/

North Korean Kimsuky APT continues to target South Korean government

https://www.sentinelone.com/labs/north-korean-kimsuky-apt-continues-to-target-south-korean-government/

THALLIUM: Campaign Targeting Academic, Government, and Other Organizations

https://www.microsoft.com/en-us/security/blog/2019/12/30/microsoft-security-intelligence-report-volume-24-now-available/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/news/2021/08/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

AhnLab: Kimsuky Group's APT Campaign Using Malicious LNK File

https://asec.ahnlab.com/en/49268/

Securonix: Kimsuky TA427 Leverages Browser Extensions for C2

https://www.securonix.com/blog/securonix-threat-research-kimsuky-ta427-leverages-browser-extensions-for-c2/

Kaspersky: Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/109800/

Kimsuky Using CHM Files to Target South Korean Entities

https://asec.ahnlab.com/en/48367/

THALLIUM: Kimsuky Targets Policy Experts

https://www.microsoft.com/en-us/security/blog/2019/12/30/microsoft-security-intelligence-report-volume-24/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2023/01/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

CISA Alert: Kimsuky Social Engineering Tactics

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-156a

AhnLab: Kimsuky Group's APT Attack Leveraging Stealer-type Malware

https://asec.ahnlab.com/en/46741/

Microsoft Threat Intelligence: Emerald Sleet

https://www.microsoft.com/en-us/security/blog/threat-intelligence/emerald-sleet/

JPCERT: Kimsuky Group Targeting Japan

https://blogs.jpcert.or.jp/en/2023/01/kimsuky.html

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.welivesecurity.com/2023/03/01/kimsuky-apt-continues-target-south-korea-using-appleseed-backdoor/

North Korean Kimsuky APT Deploying New Recon Tool ReconShark

https://blog.talosintelligence.com/kimsuky-phishing-campaign/

STOLEN PENCIL Campaign Targets Academia

https://www.volexity.com/blog/2023/03/30/stolen-pencil-campaign-targets-academia/

KIMSUKY: AppleSeed Backdoor Analysis

https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime

North Korean APT Kimsuky Evolves with New Tactics

https://www.secureworks.com/research/threat-profiles/nickel-kimball

Kimsuky APT Group Continues Attacks on South Korean Targets

https://asec.ahnlab.com/en/category/threat-information/kimsuky/

THALLIUM: A North Korean group using social engineering

https://www.microsoft.com/security/blog/2019/12/12/thallium-north-korean-group-social-engineering/

Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsuky-golddragon-cluster/109804/

Kimsuky Group: Tracking the King of the Spear Phishing

https://cyberwarzone.com/kimsuky-group-tracking-the-king-of-the-spear-phishing/

KIMSUKY: TraderTraitor targets cryptocurrency industry with multi-pronged approach

https://securelist.com/kimsuky-tradertraitor/111700/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2022/01/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

North Korean Kimsuky APT Deploys New Recon Tool

https://www.sentinelone.com/labs/comrades-in-arms-north-korean-supply-chain-attack/

CISA Alert: AppleJeus - Analysis of North Korea's Cryptocurrency Malware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

Kimsuky's New Tactics, Techniques, and Procedures (TTPs)

https://www.ahnlab.com/en/contents/asec-report-vol-98/

NICKEL KIMBALL: Tracking a Notorious North Korean APT Group

https://www.sentinelone.com/labs/nickel-kimball-tracking-a-notorious-north-korean-apt-group/

Kimsuky Group: Tracking the King of the Spear Phishing

https://www.cybereason.com/blog/research/operation-silent-watch-desktop-reconnaissance-tools-used-by-kimsuky

North Korean Kimsuky APT Continues to Target South Korean Government and Private Entities

https://www.ahnlab.com/en/asecreport/kimsuky-continues-to-target-south-korean-government-and-private-entities

North Korean Kimsuky APT continues to target South Korean politicians

https://blog.alyac.co.kr/4853

Kaspersky APT Trends Report Q3 2023

https://securelist.com/apt-trends-report-q3-2023/110752/

Genians Kimsuky Group Analysis 2023

https://www.genians.co.kr/blog/threat_intelligence_kimsuky

North Korean Kimsuky APT continues to target South Korean government using AppleSeed backdoor - Malwarebytes

https://www.malwarebytes.com/blog/threat-intelligence/2023/01/north-korean-kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

STOLEN PENCIL Campaign Targets Academic Institutions - Cisco Talos

https://blog.talosintelligence.com/stolen-pencil-campaign-targets-academia/

Kimsuky's GoldDragon cluster and its C2 operations - Securelist

https://securelist.com/kimsukys-golddragon-cluster/109514/

NICKEL targeting government organizations across Latin America and Europe

https://www.microsoft.com/en-us/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/

North Korean APT Kimsuky Adopts New Methods for Credential Theft

https://www.sentinelone.com/labs/aptly-named-kimsuky-adopts-new-methods-for-credential-theft/

Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsuky-golddragon-cluster/107258/

North Korea's Kimsuky APT Deploys New Reconnaissance Tool

https://www.ahnlab.com/en/contents/asec-report-vol-96/

North Korean Kimsuky APT continues to target South Korea with evolving variants of GoldDragon malware

https://www.sentinelone.com/labs/kimsuky-apt-continues-to-target-south-korea-with-evolving-variants-of-golddragon-malware/

DPRK Kimsuky APT Group Targeting APAC Researchers

https://www.zscaler.com/blogs/security-research/dprk-kimsuky-apt-group-targeting-apac-researchers

Kimsuky APT Group Uses FlowerPower Malware in Spear-Phishing Campaigns

https://www.boho.or.kr/en/main.do

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

Kimsuky's Multi-Stage Stealer Targets Korean Users

https://asec.ahnlab.com/en/51326/

North Korean Kimsuky APT targets South Korean research institutes

https://securelist.com/kimsuky-targets-research-institutes/108666/

Kimsuky Group Continues Targeting Academic Institutions with Phishing

https://blog.alyac.co.kr/4859

Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/109781/

CISA Alert - AppleSeed Malware Analysis

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-322a

Tracking Kimsuky's New Social Engineering Campaign

https://www.volexity.com/blog/2024/01/24/active-exploitation-of-ivanti-connect-secure-vpn/

North Korean APT Kimsuky Using Malicious Browser Extensions

https://www.volexity.com/blog/2023/04/25/north-korean-apt-kimsuky-using-malicious-browser-extensions/

Kimsuky Group: Tracking the King of Spear Phishing

https://blog.alyac.co.kr/category/threat-intelligence/

NICKEL KIMBALL: Suspected North Korean Espionage Group Targets Research and Policy Organizations

https://www.sentinelone.com/labs/nickel-kimball-suspected-north-korean-espionage-group-targets-research-and-policy-organizations/

Multi-universe of Kimsuky: Understanding the evolution of Kimsuky

https://blog.alyac.co.kr/4810

Google TAG: Analyzing a Kimsuky Spear Phishing Campaign

https://blog.google/threat-analysis-group/analyzing-kimsuky-spear-phishing-campaign/

Mandiant: APT43 North Korean Group Uses New Techniques Against Academic and Policy Experts

https://www.mandiant.com/resources/blog/apt43-north-korean-group-uses-new-techniques

Kimsuky's GoldDragon Cluster and Its C2 Operations

https://www.sentinelone.com/labs/kimsuky-golddragon-cluster-and-its-c2-operations/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2023/12/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

AhnLab ASEC: Kimsuky Group's APT Attacks Surge Exploiting Geopolitical Situations

https://asec.ahnlab.com/en/62401/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.welivesecurity.com/2021/09/30/kimsuky-apt-continues-target-south-korean-government-using-appleseed-backdoor/

Kimsuky's RandomQuery: Reconnaissance and Information Stealing

https://www.genians.co.kr/blog/threat_intelligence_kimsuky_randomquery

North Korean Kimsuky APT Continues to Target South Korean Government and Think Tanks

https://www.ahnlab.com/en/contents/asec-report-vol-100/

Kimsuky Espionage Campaign Expands to Germany and Europe

https://www.mandiant.com/resources/blog/north-korean-kimsuky-espionage

KIMSUKY APT continues to target South Korean government using AppleSeed backdoor

https://www.threatfabric.com/blogs/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

Kimsuky APT Malware Analysis: BabyShark and ReconShark

https://www.sentinelone.com/labs/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

North Korean Kimsuky APT Continues to Target South Korean Entities

https://www.ahnlab.com/en/site/securityinfo/secunews/secuNewsView.do?seq=32447

KIMSUKY - AhnLab ASEC Analysis Report

https://asec.ahnlab.com/en/tag/kimsuky/

Tracking Kimsuky's Gold Dragon Cluster - Securonix

https://www.securonix.com/blog/detecting-gold-dragon-cluster-threat-research/

CISA: #StopRansomware: Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

Kimsuky APT Group: North Korean Cyber Espionage Campaign - AhnLab

https://asec.ahnlab.com/en/17692/

North Korea's Kimsuky APT Keeps Up Incessant Cyberattacks - Dark Reading

https://www.darkreading.com/threat-intelligence/north-korea-kimsuky-apt-cyberattacks

Kimsuky Espionage Campaign Targeting South Korea and the United States - Securonix

https://www.securonix.com/blog/securonix-threat-research-kimsuky-espionage-campaign/

Kimsuky Group: Tracking the King of the Spear Phishing

https://www.sentinelone.com/labs/kimsuky-group-tracking-the-king-of-the-spear-phishing/

Kimsuky APT Leverages Commodity Tools for Global Intelligence Operations

https://www.recordedfuture.com/kimsuky-apt-leverages-commodity-tools

KIMSUKY - TARGETING CYBERSECURITY PROFESSIONALS - CYBERTHREATINTELLIGENCE

https://www.sentinelone.com/labs/kimsuky-targeting-cybersecurity-professionals/

KIMSUKY's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/107858/

Kimsuky Group: Tracking the King of Spear Phishing

https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-uh-oh/

Kimsuky APT's Evolving Tactics: New Malware and Phishing Techniques

https://asec.ahnlab.com/en/category/threat-intelligence/kimsuky/

North Korean Kimsuky APT continues to target South Korea with evolving reconnaissance tactics

https://www.ahnlab.com/en/contents/asec-report-vol-95/

Kimsuky's GoldDragon cluster and its C2 operations

https://www.sekoia.io/en/kimsukys-golddragon-cluster-and-its-c2-operations/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2023/11/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

CISA Alert: AppleSeed Malware Targets Extended Detection and Response Solutions

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

Kimsuky's GoldDragon cluster and its C2 operations

https://securelist.com/kimsuky-golddragon-cluster/111870/

North Korean Kimsuky APT Evolves Tactics to Evade Detection

https://www.sentinelone.com/labs/kimsuky-apt-evolves-tactics-to-evade-detection/

North Korean Kimsuky APT Targets South Korean Entities

https://www.sentinelone.com/labs/targets-of-interest-north-korean-kimsuky-apt-targets-south-korean-entities/

North Korean Kimsuky APT Continues to Target South Korean Government Using AppleSeed Backdoor

https://www.genians.co.kr/blog/threat_intelligence

Kimsuky Threat Actor Sends Spear-Phishing Emails with Malicious Chrome Extensions

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a

AhnLab ASEC: Kimsuky Group's APT Attacks Using CHM Malware

https://asec.ahnlab.com/en/45576/

STOLEN PENCIL Campaign Targets Academia

https://www.volexity.com/blog/2024/08/20/stolen-pencil-campaign-targets-academia/

Kimsuky Evolves: APT43's Fusion of Intelligence and Financial Cybercrime Operations

https://blog.google/threat-analysis-group/kimsuky-evolves-apt43s-fusion-of-intelligence-and-financial-cybercrime-operations/

North Korea's Kimsuky APT Deploys New Reconnaissance Tool

https://www.sentinelone.com/labs/kimsuky-deploys-new-reconnaissance-tool/

CISA: #StopRansomware: Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-249a

AhnLab: Kimsuky Group's APT Campaign Exploiting Hangul Word Processor Vulnerability

https://asec.ahnlab.com/en/62161/

Google TAG: North Korean threat actors target policy and medical professionals

https://blog.google/threat-analysis-group/north-korean-threat-actors-target-policy-and-medical-professionals/