{ "id": "c49f1a1a-e17f-4fd1-89b2-3998cec1b1e5", "created_at": "2026-04-06T00:10:11.2847Z", "updated_at": "2026-04-10T13:12:26.603737Z", "deleted_at": null, "sha1_hash": "0d7da12eddee96833e2f96b3d6071675a0597b5c", "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9591715, "plain_text": "Kimsuky APT continues to target South Korean government using\r\nAppleSeed backdoor\r\nBy Mark Stockley\r\nPublished: 2021-05-31 · Archived: 2026-04-05 22:57:49 UTC\r\nThis blog post was authored by Hossein Jazi.\r\nThe Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat\r\nactor that has been active since 2012. The group conducts cyber espionage operations to target government entities\r\nmainly in South Korea. On December 2020, KISA (Korean Internet \u0026 Security Agency) provided a detailed\r\nanalysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.\r\nThe Malwarebytes Threat Intelligence team is actively monitoring this actor and has been able to spot phishing\r\nwebsites, malicious documents, and scripts that have been used to target high profile people within the\r\ngovernment of South Korea. The structure and TTPs used in these recent activities align with what has been\r\nreported in KISA’s report.\r\nArticle continues below this ad.\r\nTargets\r\nOne of the lures used by Kimsuky named “외교부 가판 2021-05-07” in Korean language translates to “Ministry\r\nof Foreign Affairs Edition 2021-05-07” which indicates that it has been designed to target the Ministry of Foreign\r\nAffairs of South Korea. According to our collected data, we have identified that it is one entity of high interest for\r\nKimsuky. Other targets associated with the Korean government include:\r\nMinistry of Foreign Affairs, Republic of Korea 1st Secretary\r\nMinistry of Foreign Affairs, Republic of Korea 2nd Secretary\r\nTrade Minister\r\nDeputy Consul General at Korean Consulate General in Hong Kong\r\nInternational Atomic Energy Agency (IAEA) Nuclear Security Officer\r\nAmbassador of the Embassy of Sri Lanka to the State\r\nMinistry of Foreign Affairs and Trade counselor\r\nBeside targeting government, we also have observed that Kimsuky collected information about universities and\r\ncompanies in South Korea including the Seoul National University and Daishin financial security company as\r\nwell as KISA. This does not mean the threat actors actively targeted them yet nor that they were compromised.\r\nPhishing Infrastructure\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 1 of 19\n\nThe group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to\r\nenter their credentials. This is one of the main methods used by this actor to collect email addresses that later will\r\nbe used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the\r\nKISA report with some small changes.\r\nAs an example, they have added the Mobile_detect and Anti_IPs modules from type B to type C (KISA report) in\r\norder to be able to detect mobile devices and adjust the view based on that. This phishing model has the capability\r\nto show phishing pages in English or Korean based on the parameter value received from the phishing email. This\r\nmodel has been deployed by Kimsuky to target not only Korean speaking victims but also English speaking\r\npeople, as well.\r\nWe have observed that they developed different phishing techniques to mimic the following web services and steal\r\ncredentials:\r\nGmail\r\nHotmail\r\nMicrosoft Outlook\r\nNate\r\nDaum\r\nNaver\r\nTelegram\r\nKISA\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 2 of 19\n\nWe have identified several URLs used by Kimsuky to host their phishing infrastructure:\r\nhttp://accounts[.]goggle[.]hol[.]es/MyAccount\r\nhttps://myaccount[.]google[.]newkda[.]com/signin\r\nhttp://myaccount[.]google[.]newkda[.]com/signin\r\nhttp://myaccount[.]google[.]nkaac[.]net/signin\r\nhttps://myaccounts-gmail[.]autho[.]co/signin\r\nhttp://myaccounts-gmail[.]kr-infos[.]com/signin\r\nhttp://myaccount[.]cgmail[.]pe[.]hu/signin\r\nhttps://accounts[.]google-manager[.]ga/signin\r\nhttps://accounts[.]google-signin[.]ga/v2\r\nhttps://myaccount[.]google-signin[.]ga/signin\r\nhttps://account[.]grnail-signin[.]ga/v2\r\nhttps://myaccount[.]grnail-signin[.]ga/v2\r\nhttps://myaccounts[.]grnail-signin[.]ga/v2\r\nhttps://accounts[.]grnail-signin[.]ga/v2\r\nhttps://protect[.]grnail-signin[.]ga/v2\r\nhttps://accounts[.]grnail-signing[.]work/v2\r\nhttps://myaccount[.]grnail-signing[.]work/v2\r\nhttps://myaccount[.]grnail-security[.]work/v2\r\nhttps://signin[.]grnail-login[.]ml\r\nhttps://login[.]gmail-account[.]gq\r\nhttps://signin[.]gmrail[.]ml\r\nhttps://login[.]gmeil[.]kro[.]kr\r\nhttps://account[.]googgle[.]kro[.]kr\r\nThe group has used Twitter accounts to find and monitor its targets to prepare well crafted spear phishing emails.\r\nThe group also is using Gmail accounts to use for phishing attacks or registering domains. One of the Gmail\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 3 of 19\n\naccounts used by this actor is ” tjkim1991@gmail[.]com” which was used to register the following sub-domains:\r\nns1.microsoft-office[.]us\r\nns2.microsoft-office[.]us\r\nThey were registered on April 3 and we believe have been reserved to be used for future campaigns. Pivoting from\r\nthese sub-domains, we were able to uncover the infrastructure used by this actor. Some of it has overlap with\r\npreviously reported campaigns operated by Kimsuky.\r\nCommand and Control infrastructure\r\nKimsuky reuses some of its phishing infrastructure for its command and control communications. In their most\r\nrecent attack against South Korea’s government they reused the infrastructure that has been used to host their\r\nphishing websites for AppleSeed backdoor C\u0026C communications. Besides using the AppleSeed backdoor to target\r\nWindows users, the actor also has used an Android backdoor to target Android users. The Android backdoor can\r\nbe considered as the mobile variant of the AppleSeed backdoor. It uses the same command patterns as the\r\nWindows one. Also, both Android and Windows backdoors have used the same infrastructure. It is also interesting\r\nto mention that this actor calls themselves Thallium.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 4 of 19\n\nHere are some of IPs and domains used by the actor for C2 communications:\r\n210.16.120[.]34 216.189.157[.]89 45.58.55[.]73 45.13.135[.]103 27.102.114[.]89 210.16.121[.]137 58.22\r\nAnalysis of the most recent AppleSeed attack\r\nIn this section we provide an analysis of the AppleSeed backdoor that has been used to target the Ministry of the\r\nForeign Affairs of South Korea.\r\nInitial Access\r\nThe actor has distributed its dropper embedded in an archive file (외교부 가판 2021-05-07.zip) as an attachment\r\nthrough spearphishing emails. The target email addresses have been collected using the actor email phishing\r\ncampaigns we described in the previous section. The actor conducted this spearphishing attack on May 7, 2021.\r\nThe archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that\r\ncontains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the\r\nother one contains the AppleSeed payload also in Base64 format (encoded twice).\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 5 of 19\n\nAt first it uses the MSXML Base64 decoding functionality to decode the first layer and then uses certutil.exe to\r\ndecode the second layer and get the final ApppleSeed payload. The decoy PDF file has been decoded using the\r\nMSXML Base64 decoding function.\r\nAfter decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the\r\nend, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through\r\nPowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically\r\ncalls the DLL export function that has been named DllRegisterServer.\r\npowershell.exe -windowstyle hidden regsvr32.exe /s AppleSeed_Payload\r\nWscript_Shell.Run(Pdf_Name);\r\nAppleSeed Backdoor\r\nThe dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly\r\nobfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. The\r\nencrypted version of the strings and API calls are in hex ASCII format. Whenever in the code the malware needs\r\nto use a string, it takes the encrypted string and passes it into two functions to decrypt it.\r\nThe first function “string_decryptor_prep” gets the encrypted string and then prepares a custom data structure that\r\nhas four elements:\r\ntypedef struct _UNICODESTR { wchar_t *Buffer; // Encrypted string DWORD padding; uint64_t Lengt\r\nThe second function “string_decryptor” gets the created data structure in the previous function and then decrypts\r\nthe string and puts it in the same data structure.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 6 of 19\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 7 of 19\n\nThe decryptor function first convert the input string in hex ascii format to binary by calling the\r\nhexascii_to_binary function on each two ascii characters (i.e. c3, 42, b1, 1d… in example 1). The first 16 bytes of\r\nin the input is then used as the key and the remainder is the actual value that gets decrypted in 16 byte chunks (i.e.\r\ned, d5, 0d, 60).\r\nDecryption is a simple xor operation of key[i] ^ string[i-1] ^ string[i] (For the first character\r\nstring_to_be_decrypted[i-1] is set to zero).\r\nMost of the important API calls resolve dynamically during the run time using “string_decryptor” function. (288\r\nAPI calls have been resolved dynamically.)\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 8 of 19\n\nThe AppleSeed payload has an export function named “DllRegisterServer” which will be called when the DLL is\r\nexecuted using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL\r\ninitialization and setup that includes the following steps:\r\nCopy itself into “C:ProgramDataSoftwareESTsoftCommon” and rename itself as ESTCommon.dll to\r\npretend it is a DLL that belongs to ESTsecurity company.\r\nMake itself persistent by creating the following registry key:\r\nRegistry key name: EstsoftAutoUpdate Registry key value: Regsvr32.exe /s C:ProgramDataSoftwareESTsoftCommonESTC\r\nFunctionality activation by creating the following files into\r\n“C:ProgramDataSoftwareESTsoftCommonflags” directory and writes “flag” into them: FolderMonitor,\r\nKeyboardMonitor, ScreenMonitor, UsbMonitor.\r\nIn the next step it creates a Mutex to make sure it only infects a victim once.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 9 of 19\n\nAfter creating that mutex, it checks if the current process has the right access privilege by calling\r\nGetTokenInformation API call and if it does not have the right privilege, it tries to escalate its privilege using\r\nAdjustTokenPrivilege by passing SeDebugPrivilege to it to gain system level privilege.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 10 of 19\n\nAt the end it performs its main functionalities in separate threads. All the the collected data in each thread is being\r\nzipped and encrypted and is being sent to the command and control server using HTTP POST requests in a\r\nseparate thread. After sending the data to the server, the data is deleted from the victim’s machine.\r\nThe ApppleSeed payload is using RC4 for encryption and decryption of the data. To generate RC4 key, it creates a\r\nRandom buffer of 117 bytes by Calling CryptGenRandom and then uses CryptCreateHash and CryptHashData to\r\nadds the buffer into a MD5 hash object. Then it calls CryptDeriveKey to generate the RC4 key.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 11 of 19\n\nThe created 117 bytes buffer is encrypted using RSA algorithm and is sent to the sever along with RC4 encrypted\r\ndata. The RSA key is in hex ASCII format and has been decrypted using “string_decryptor” function.\r\nInput Capture (KeyLogger)\r\nThe keylogger function uses GetKeyState and GetKeyboardState to capture the pressed keys on the victim’s\r\nmachine and logs all keys per process into the log.txt file.\r\nScreen Capture\r\nThis module takes screenshots by calling the following sequence of API calls and writes them to files:\r\nGetDesktopWindow, GetDC, CreateCompstibleDC, CreateCompatibleBitmap, Bitblt and GetDIBits and then\r\nwrites them into a file using CreateFileW and WriteFile.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 12 of 19\n\nCollect removable media data\r\nThis module finds the removable media devices connected to the machine and collects its data before sending it to\r\nthe command and control server. To identify a USB drive it calls CM_Get_Device_IDW to retrieve the device\r\ninstance ID that would be in format “ ” and then checks if it contains USB string value.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 13 of 19\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 14 of 19\n\nCollect files\r\nThis thread looks for txt, ppt, hwp, pdf, and doc files in the Desktop, Documents, Downloads and\r\nAppDataLocalMicrosoftWindowsINetCacheIE directories and archives them to be ready to be exfiltrated to the\r\nserver.\r\nCommand structure\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 15 of 19\n\nThe AppleSeed backdoor is using a two layer command structure to communicate to its command and control\r\nserver. Here is the URL pattern used for C\u0026C communications:\r\nentity:url url:?m=[command layer one]\u0026p1=[volume serial number]\u0026p2=[command layer two]\r\nCommand layer one defines the type of command that server expected to be executed on the victim and it can\r\nhave one of the following values:\r\nCommand Description\r\na\r\nping mode (Collect victim info including IP, Time stamp, victim\r\nOS version)\r\nb upload data mode\r\nc Download command (Waiting for command)\r\nd Delete command\r\ne Upload command mode\r\nf List directories mode\r\ng Delete file mode\r\nh Check existence of a file mode\r\nCommand Layer one\r\nCommand layer 2 is only for when the command layer 1 is in upload data mode (c) and defines the type of upload.\r\nIt can have one of the following values:\r\nCommand Description\r\na Upload command execution results\r\nb Upload files and removable media data\r\nc Upload screenshots\r\nd Upload input capture data (Keylogger data)\r\nCommand layer 2\r\nConclusion\r\nKimsuky is one of North Korea’s threat actors that has mainly targeted South Korean government entities. In this\r\nblog post we took a look at this group’s activities including its phishing infrastructure and command and control\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 16 of 19\n\nmechanisms. Our research has shown that the group is still using a similar infrastructure and TTPs as reported on\r\nDecember 2020 by KISA. Its most recent campaign targeted the ministry of foreign affairs using the Apple Seed\r\nbackdoor.\r\nMITRE ATT\u0026CK Techniques\r\nTactic ID Name Details\r\nReconnaissance T1598\r\nPhishing for\r\nInformation\r\nUse phishing to collect\r\nemail addresses for\r\ntargeted attack\r\nResource\r\nDevelopment\r\nT1583.00\r\nAcquire\r\nInfrastructure: Domains\r\nPurchase and register\r\ndomains a few month\r\nbefore the attack\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop\r\nCapabilities: Malware\r\nDevelop AppleSeed\r\nbackdoor for the attack\r\nResource\r\nDevelopment\r\nT1585.002\r\nEstablish\r\nAccounts: Email\r\nAccounts\r\nCreate email accounts\r\nto register domains and\r\nuse in phishing attacks\r\nResource\r\nDevelopment\r\nT1585.001\r\nEstablish\r\nAccounts: Social Media\r\nAccounts\r\nUse Twitter to collect\r\ninfo about victims\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nDistributing archive\r\nfiles that contains JS\r\ndropper through\r\nphishing emails\r\nExecution T1059.001 Command and\r\nScripting\r\nUse PowerShell to\r\nexecute commands\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 17 of 19\n\nInterpreter: PowerShell\r\nExecution T1059.007\r\nCommand and\r\nScripting\r\nInterpreter: JavaScript\r\nUse JS to execute\r\nPowerShell\r\nPersistence T1547.001\r\nBoot or Logon\r\nAutostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder\r\nCreate Registry\r\nRunOnce key\r\nPrivilege\r\nEscalation\r\nT1134\r\nAccess Token\r\nManipulation\r\nAdjust its token\r\nprivileges to have\r\nthe  SeDebugPrivilege\r\nDefense\r\nEvasion\r\nT1134\r\nAccess Token\r\nManipulation\r\nAdjust its token\r\nprivileges to have\r\nthe  SeDebugPrivilege\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\n– Use the\r\ncommand  certutil  to\r\ndecode base64 contents\r\n– Decrypt data coming\r\nfrom Server\r\nDefense\r\nEvasion\r\nT1070.004\r\nIndicator Removal on\r\nHost: File Deletion\r\nDelete its exfiltrated\r\ndata to cover its tracks\r\nDefense\r\nEvasion\r\nT1112 Modify Registry\r\n modify the Run\r\nregistry key\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\n– All the strings and\r\nAPI calls are\r\nobfuscated using\r\ncustom encryption\r\n– The dropped payload\r\nis packed with UPX\r\nDefense\r\nEvasion\r\nT1218.010\r\nSigned Binary Proxy\r\nExecution: Regsvr32\r\nLoad payload through\r\nRegsvr32\r\nCredential\r\nAccess\r\nT1056.001\r\nInput\r\nCapture: Keylogging\r\nLog keystrokes on the\r\nvictim’s machine\r\nDiscovery T1083\r\nFile and Directory\r\nDiscovery\r\nObtain file and\r\ndirectory listings\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 18 of 19\n\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nCollect OS type and\r\nvolume serial number\r\nCollection T1560 Archive Collected Data\r\nCompress and encrypt\r\ncollected data prior to\r\nexfiltration\r\nCollection T1005\r\nData from Local\r\nSystem\r\nCollect data from local\r\nsystem\r\nCollection T1025\r\nData from Removable\r\nMedia\r\nCollect data from\r\nremovable media\r\nCollection T1056.001\r\nInput\r\nCapture: Keylogging\r\nLog keystrokes on the\r\nvictim’s machine\r\nCollection T1113 Screen Capture Capture screenshots\r\nCommand and\r\nControl\r\nT1001 Data Obfuscation\r\nEncrypt data for\r\nexfiltration\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nUse HTTP for\r\ncommand and control\r\ncommunication\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nExfiltrate data over the\r\nsame channel used for\r\nC2\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-app\r\nleseed-backdoor\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" ], "report_names": [ "kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434211, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d7da12eddee96833e2f96b3d6071675a0597b5c.pdf", "text": "https://archive.orkl.eu/0d7da12eddee96833e2f96b3d6071675a0597b5c.txt", "img": "https://archive.orkl.eu/0d7da12eddee96833e2f96b3d6071675a0597b5c.jpg" } }