Kimsuky, Velvet Chollima

Description

(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.

Names

Name	Name-Giver
Kimsuky	Kaspersky
Velvet Chollima	CrowdStrike
Thallium	Microsoft
Black Banshee	PWC
SharpTongue	Volexity
ITG16	IBM
TA406	Proofpoint
TA427	Proofpoint
APT 43	Mandiant
ARCHIPELAGO	Google
Emerald Sleet	Microsoft
KTA082	Kroll
UAT-5394	Talos
Sparkling Pisces	Palo Alto
Springtail	Symantec
Larva-24005	AhnLab
Larva-25004	AhnLab

Country

• North Korea

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2012

Observed Sectors

• Defense
• Education
• Energy
• Government
• Healthcare
• Manufacturing
• Think Tanks
• Ministry of Unification, Sejong Institute and Korea Institute for Defense Analyses

Observed Countries

• Japan
• South Korea
• Thailand
• Ukraine
• USA
• Vietnam
• Europe

Tools

• AppleSeed
• BabyShark
• BITTERSWEET
• CSPY Downloader
• FlowerPower
• Gh0st RAT
• Gold Dragon
• Grease
• KGH_SPY
• KimJongRAT
• Kimsuky
• KPortScan
• MailPassView
• Mechanical
• Mimikatz
• MoonPeak
• MyDogs
• Network Password Recovery
• ProcDump
• PsExec
• ReconShark
• Remote Desktop PassView
• SHARPEXT
• SmallTiger
• SniffPass
• SWEETDROP
• TODDLERSHARK
• TRANSLATEXT
• Troll Stealer
• VENOMBITE
• WebBrowserPassView
• xRAT
• Living off the Land

Operations

• 2013: For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
• 2014: The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea’s 23 nuclear reactors. While the government report stated that only ‘non-critical’ networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened ‘destruction’ in a message posted to Twitter. https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/
• 2018-03: Operation “Baby Coin” https://blog.alyac.co.kr/m/1963
• 2018-05: Operation “Stolen Pencil” ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018. https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia
• 2018-10: Operation “Mystery Baby” https://blog.alyac.co.kr/m/1963
• 2018-11: The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
• 2019-01: Operation “Kabar Cobra” On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps. https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf
• 2019-04: Operation “Stealth Power” https://blog.alyac.co.kr/2234
• 2019-04: Operation “Smoke Screen” https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf
• 2019-07: Operation “Red Salt” https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf
• 2019-07: In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials. Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry. https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/
• 2020-02: We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020. https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/
• 2020-02: North Korea has tried to hack 11 officials of the UN Security Council https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/
• 2020-03: According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea’s response to the COVID-19 epidemic. The documents — believed to have been sent to South Korean officials — were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky. https://twitter.com/issuemakerslab/status/1233010155018604545
• 2020-12: We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. https://securelist.com/apt-trends-report-q1-2021/101967/
• 2020-12: Kimsuky APT continues to target South Korean government using AppleSeed backdoor https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
• 2021: Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf
• 2021-05: South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology. https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/
• 2021-05: North Korean hackers breached major hospital in Seoul to steal data https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/
• 2021-06: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html
• 2021-09: SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
• 2022-01: On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. https://asec.ahnlab.com/en/31089/
• 2022 Early: Kimsuky’s GoldDragon cluster and its C2 operations https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/
• 2022-04: Operation “Covert Stalker” https://asec.ahnlab.com/en/58654/
• 2022-10: Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f
• 2023: Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
• 2023: From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering
• 2023-02: Malware Disguised as Normal Documents https://asec.ahnlab.com/en/47585/
• 2023-03: CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) https://asec.ahnlab.com/en/49295/
• 2023-03: North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign https://therecord.media/north-korea-apt-kimsuky-attacks
• 2023-03: OneNote Malware Disguised as Compensation Form (Kimsuky) https://asec.ahnlab.com/en/50303/
• 2023-04: DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/
• 2023-05: Kimsuky Distributing CHM Malware Under Various Subjects https://asec.ahnlab.com/en/54678/
• 2023-05: Kimsuky Group Using Meterpreter to Attack Web Servers https://asec.ahnlab.com/en/53046/
• 2023-05: Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel https://asec.ahnlab.com/en/52970/
• 2023-05: Ongoing Campaign Using Tailored Reconnaissance Toolkit https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
• 2023-05: North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/
• 2023-06: Malware Disguised as HWP Document File (Kimsuky) https://asec.ahnlab.com/en/54736/
• 2023-07: Kimsuky Threat Group Using Chrome Remote Desktop https://asec.ahnlab.com/en/55145/
• 2023-07: Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky) https://asec.ahnlab.com/en/55219/
• 2023-08: North Korean hackers target U.S.-South Korea military drills, police say https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/
• 2023-10: Kimsuky Threat Group Uses RDP to Control Infected Systems https://asec.ahnlab.com/en/57873/
• 2023-11: Kimsuky Targets South Korean Research Institutes with Fake Import Declaration https://asec.ahnlab.com/en/59387/
• 2023-11: SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) https://asec.ahnlab.com/en/66546/
• 2023-12: Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) https://asec.ahnlab.com/en/59590/
• 2024: Operation “DEEP#GOSU” Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/
• 2024-01: Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2
• 2024-01: TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group) https://asec.ahnlab.com/en/61934/
• 2024-01: North Korean hackers exploit VPN update flaw to install malware https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/
• 2024-03: TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark
• 2024-03: Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) https://asec.ahnlab.com/en/63396/
• 2024-03: Kimsuky deploys TRANSLATEXT to target South Korean academia https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia
• 2024-03: Attack Activities by Kimsuky Targeting Japanese Organizations https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html
• 2024-05: North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html
• 2024-05: Springtail: New Linux Backdoor Added to Toolkit https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage
• 2024-06: Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky) https://asec.ahnlab.com/en/66720/
• 2024-06: MoonPeak malware from North Korean actors unveils new details on attacker infrastructure https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
• 2024-07: APT Group Kimsuky Targets University Researchers https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/
• 2024-09: North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/
• 2024-09: North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html
• 2024-09: How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations
• 2025-01: DPRK hackers dupe targets into typing PowerShell commands as admin https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/
• 2025-02: Persistent Threats from the Kimsuky Group Using RDP Wrapper https://asec.ahnlab.com/en/86098/
• 2025-02: Operation “DEEP#DRIVE” Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
• 2025-02: Phishing Email Attacks by the Larva-24005 Group Targeting Japan https://asec.ahnlab.com/en/86535/
• 2025-02: TA406 Pivots to the Front https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
• 2025-03: Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/
• 2025-05: Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate https://asec.ahnlab.com/en/88132/
• 2025-06: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group) https://asec.ahnlab.com/en/88465/

Counter Operations

• 2019-12: Microsoft takes court action against fourth nation-state cybercrime group https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/
• 2023-11: Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group https://home.treasury.gov/news/press-releases/jy1938
• 2025-02: OpenAI bans ChatGPT accounts used by North Korean hackers https://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/

Information

• https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
• https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/
• https://us-cert.cisa.gov/ncas/alerts/aa20-301a
• https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
• https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956
• https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf
• https://asec.ahnlab.com/en/30532/
• https://asec.ahnlab.com/en/60054/
• https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf
• https://asec.ahnlab.com/wp-content/uploads/2023/03/Unique-characteristics-of-Kimsuky-groups-spear-phishing-emails.pdf
• https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report
• https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/
• https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
• https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/
• https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF

Mitre Attack

• https://attack.mitre.org/groups/G0094/
• https://attack.mitre.org/groups/G0086/

Other Information

Uuid

5e3544bf-98ad-4e9f-b65e-85f05c36486f

Last Card Change

2025-06-28