{
	"id": "e411abf9-36cc-4a93-b705-881d6b6e6347",
	"created_at": "2026-04-06T02:12:33.589768Z",
	"updated_at": "2026-04-10T13:11:29.582607Z",
	"deleted_at": null,
	"sha1_hash": "052b7ca5936790e7f589583cd30e9ceb3d8a040c",
	"title": "Automated Phishing Analysis | Phishing Incident Response",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 963027,
	"plain_text": "Automated Phishing Analysis | Phishing Incident Response\r\nArchived: 2026-04-06 02:08:10 UTC\r\n1. Home\r\n2. Solutions\r\n3. Phishing Attack \u0026 Analysis\r\nThreatConnect for Phishing Attack Analysis and Response\r\nPhishing is on the rise, and the best way to protect your organization is to know what you’re looking for.\r\nThreatConnect automates phishing analysis to simplify the hunt for legitimate threats. The Platform handles\r\nsuspicious emails, reducing the time to remediate active threats from days to minutes.\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 1 of 7\n\nSave time spent on phishing email analysis with automation\r\nAutomated phishing analysis saves you time and helps you defend against phishing attacks faster and with more\r\nprecision. ThreatConnect has out-of-the-box workflow templates for phishing incident response and analysis tools\r\nthat identify, enrich, and help you respond to threats.\r\nRead Customer Story on Phishing Automation\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 2 of 7\n\nPrioritize phishing emails to reduce time to respond\r\nThreatConnect’s phishing response playbook includes in-platform scoring that prioritizes emails and automates\r\nenrichment. You no longer need to manually identify malicious indicators, cutting down on your response time.\r\nJoin a Monthly Live Demo\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 3 of 7\n\nMaximize insights on phishing trends\r\nPhishing attacks evolve as attackers learn what works and what doesn’t. Your organization needs phishing analysis\r\ntools to keep up with the latest trends. ThreatConnect provides accurate, current information about messages\r\nbased on collective threat intelligence.\r\nExplore ThreatConnect Platform in Interactive Tour\r\nThreatConnect Advantages\r\nAutomated email analysis\r\nThreatConnect lets you automatically analyze reported emails to look for indicators across file attachments,\r\nembedded links, and other information. Enrich indicators with threat intelligence from third-party feeds and\r\nCAL™ to identify known malicious indicators and automatically send the indicators to your security tools, like\r\nsecure email gateway and firewalls, to respond.\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 4 of 7\n\nQuicker response times\r\nGet automated notifications when an email contains malicious indicators, triggering response efforts like blocking\r\nthe indicator in phishing defense tools like firewalls and secure web gateways. If an email is marked safe you can\r\nmark the indicator as a false positive in your threat library and add it to your exclusion list for future\r\ninvestigations.\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 5 of 7\n\nEasy user reporting\r\nMake it easy for your team members to report suspicious emails. Set up a mailbox for centralized reporting of\r\npotential phishing emails from all sources, including both humans and technologies. When the mailbox receives a\r\nmessage, the rest of the Playbook is triggered to automate the analysis and corresponding response efforts.\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 6 of 7\n\nWith ThreatConnect, we automated our phishing triage, analysis, and response, and reduced the time it\r\ntook to analyze thousands of phishing emails from 3+ hours per campaign to minutes. Mean time to\r\nremediate decreased by 92% vs the original 15% target over baseline.\r\nSOC Team Lead\r\nGlobal Forbes 2000 Hospital \u0026 Healthcare System\r\nTrusted by leading companies\r\nReduce false positives\r\nReduce time to analyze a phishing email\r\nReduce mean time to remediate\r\nTake time back in your day by automating phishing analysis and response.\r\nSource: https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nhttps://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/"
	],
	"report_names": [
		"kimsuky-phishing-operations-putting-in-work"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441553,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/052b7ca5936790e7f589583cd30e9ceb3d8a040c.pdf",
		"text": "https://archive.orkl.eu/052b7ca5936790e7f589583cd30e9ceb3d8a040c.txt",
		"img": "https://archive.orkl.eu/052b7ca5936790e7f589583cd30e9ceb3d8a040c.jpg"
	}
}