← All Threat Actors
Threat Actor Profile

Kimsuky

APT43 Black Banshee Earth Kumiho Emerald Sleet G0086 G0094 Operation Stolen Pencil PatheticSlug Sparkling Pisces Springtail TA427 Thallium Velvet Chollima
▲ High Threat
This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.
Origin North Korea
Sponsor Korea (Democratic People's Republic of)
Motivation Espionage

Target Sectors

Government Private sector Research - Innovation Energy Defense Diplomacy Academia - University News - Media

Known TTPs

Delay Execution
Data from Local System
Malware
Acquire Infrastructure
Remote Desktop Protocol
Email Accounts
Phishing
Disable or Modify Tools
Malicious File
Network Sniffing
Spearphishing Link
Web Portal Capture
Steal Web Session Cookie
Tool
Local Accounts
Automated Exfiltration
Deobfuscate/Decode Files or Information
Malicious Copy and Paste
Command Obfuscation
Upload Malware
Ingress Tool Transfer
Develop Capabilities
Exfiltration to Cloud Storage
Phishing for Information
Impersonation
Code Signing
Masquerade Task or Service
Clipboard Data
Component Object Model
Bidirectional Communication
Service Stop
Browser Information Discovery
Malicious Link
Internal Spearphishing
Exploit Public-Facing Application
Social Media
Dynamic API Resolution
Encrypted/Encoded File
Establish Accounts
Employee Names
Rundll32
Hidden Users
Browser Extensions
File Deletion
Remote Desktop Software
Server
Private Keys
Reflective Code Loading
Multi-Factor Authentication Interception
Search Victim-Owned Websites
Windows Command Shell
Domains
Query Registry
Gather Victim Org Information
Web Protocols
Social Media Accounts
Financial Theft
Local Account
System Service Discovery
Dynamic Resolution
Binary Padding
Email Accounts
Archive via Custom Method
Timestomp
Spearphishing Link
LNK Icon Smuggling
Search Open Technical Databases
Junk Code Insertion
Pass the Hash
Adversary-in-the-Middle
Security Software Discovery
Mshta
Exfiltration Over C2 Channel
Browser Session Hijacking
Ignore Process Interrupts
Disable or Modify System Firewall
External Remote Services
System Information Discovery
Native API
Domains
Email Addresses
JavaScript
System Checks
Obfuscated Files or Information
Local Data Staging
Mail Protocols
Keylogging
Software Packing
Credentials In Files
Dead Drop Resolver
Archive via Utility
System Network Configuration Discovery
Credentials from Web Browsers
Dynamic-link Library Injection
Change Default File Association
Spearphishing Attachment
Process Discovery
Process Injection
Screen Capture
Modify Registry
PowerShell
Exploits
Regsvr32
Registry Run Keys / Startup Folder
Windows Service
Web Services
Query Public AI Services
File and Directory Discovery
Hidden Window
Compression
Scheduled Task
System Owner/User Discovery
Mutual Exclusion
Match Legitimate Resource Name or Location
Non-Standard Encoding
Search Engines
Double File Extension
Process Hollowing
Code Signing Certificates
Email Forwarding Rule
File Transfer Protocols
LSASS Memory
Traffic Signaling
Visual Basic
Additional Local or Domain Groups
Python
Web Shell
Local Storage Discovery
Remote Email Collection
System Time Discovery

External Resources

CISA Advisories ↗

Related Intelligence


LINK COPIED TO CLIPBOARD