{ "id": "a5376499-5533-4b3b-a7dd-879a9f2cfc69", "created_at": "2026-04-06T00:18:52.365931Z", "updated_at": "2026-04-10T03:37:40.97573Z", "deleted_at": null, "sha1_hash": "29987ea26f94f2b09cccb3274c02cd96b822c915", "title": "Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1777294, "plain_text": "Kimsuky | Ongoing Campaign Using Tailored Reconnaissance\r\nToolkit\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-05-23 · Archived: 2026-04-05 19:44:59 UTC\r\nBy Aleksandar Milenkoski and Tom Hegel\r\nExecutive Summary\r\nSentinelLABS has observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting\r\nNorth Korea-focused information services, human rights activists, and DPRK-defector support\r\norganizations.\r\nThe campaign focuses on file reconnaissance and information exfiltration using a variant of the\r\nRandomQuery malware, enabling subsequent precision attacks.\r\nKimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files, their long-running tactic for delivering diverse sets of malware.\r\nKimsuky strategically employs new TLDs and domain names for malicious infrastructure, mimicking\r\nstandard .com TLDs to deceive unsuspecting targets and network defenders.\r\nOverview\r\nSentinelLABS has been tracking a targeted campaign against information services, as well as organizations\r\nsupporting human rights activists and defectors in relation to North Korea. The campaign focuses on file\r\nreconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent\r\nprecision attacks. Based on the infrastructure used, malware delivery methods, and malware implementation, we\r\nassess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor.\r\nKimsuky is a suspected North Korean advanced persistent threat (APT) group known for targeting organizations\r\nand individuals on a global scale. Active since at least 2012, the group regularly engages in targeted phishing and\r\nsocial engineering campaigns to collect intelligence and gain unauthorized access to sensitive information,\r\naligning with the interests of the North Korean government.\r\nLately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable\r\nsubsequent attacks. For example, we recently revealed the group’s distribution of ReconShark through macro-enabled Office documents.\r\nThe campaign we discuss in this post indicates a shift towards using a variant of the RandomQuery malware that\r\nhas the single objective of file enumeration and information exfiltration. This stands in contrast to recently\r\nobserved RandomQuery variants supporting a wider array of features, such as keylogging and execution of further\r\nspecialized malware.\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 1 of 8\n\nRandomQuery is a constant staple in Kimsuky’s arsenal and comes in various flavors. This campaign specifically\r\nuses a VBScript-only implementation. The malware’s ability to exfiltrate valuable information, such as hardware,\r\noperating system, and file details, indicates its pivotal role in Kimsuky’s reconnaissance operations for enabling\r\ntailored attacks.\r\nThis campaign also demonstrates the group’s consistent approach of delivering malware through CHM files, such\r\nas keylogging and clipboard content theft malware. In line with their modus operandi, Kimsuky distributes the\r\nRandomQuery variant we observed through this vector.\r\nFinally, this campaign highlights Kimsuky’s recent extensive use of less common top-level domains (TLDs) for\r\ntheir infrastructure, such as .space , .asia , .click , and .online . The group also uses domain names that\r\nmimic standard .com TLDs, aiming to appear legitimate.\r\nInitial Targeting\r\nKimsuky makes use of specially crafted phishing emails to deploy RandomQuery. The phishing emails are sent to\r\ntargets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing\r\npractice. Recent sender email addresses include bandi00413[@]daum.net .\r\nThe phishing emails, written in Korean, request the recipient to review an attached document claiming to be\r\nauthored by Lee Kwang-baek, the CEO of Daily NK. Daily NK is a prominent South Korean online news outlet\r\nthat provides independent reporting on North Korea, making them a prime organization for impersonation by\r\nDPRK threat actors looking to appear legitimate.\r\nKimsuky phishing email (in Korean)\r\nThe attached document is a CHM file stored in a password-protected archive. Aligning with the targeting focus of\r\nKimsuky in this campaign, the lure document is entitled “Difficulties in activities of North Korean human rights\r\norganizations and measures to vitalize them” and presents a catalog of challenges pertaining to human rights\r\norganizations.\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 2 of 8\n\nLure document snippet (in Korean)\r\nConsistent with known Kimsuky tactics, the CHM file contains a malicious Shortcut object that activates on the\r\nClick event. The object:\r\nCreates a Base-64 encoded file in the %USERPROFILE%\\Links\\ directory, such as mini.dat .\r\nDecodes the file using the certutil utility, creating a VB script, and then stores the script in a separate\r\nfile, such as %USERPROFILE%\\Links\\mini.vbs .\r\nEstablishes persistence by editing the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry\r\nkey, such that the newly created VB script is executed at system startup.\r\nShortcut object\r\nThe VB script issues a HTTP GET request to a C2 server URL, for example, http[://]file.com-port.space/indeed/show[.]php?query=50 , and executes the second-stage payload returned from the server. Based\r\non overlaps in code documented in previous work, we assess that the second-stage payload is a VBScript\r\nRandomQuery variant.\r\nExecution of a RandomQuery variant\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 3 of 8\n\nDissecting RandomQuery\r\nThe RandomQuery variant that Kimsuky distributes first configures the Internet Explorer browser by editing\r\nregistry values under HKCU\\Software\\Microsoft\\Internet Explorer\\Main :\r\nSets Check_Associations to no : The system does not issue a notification if Internet Explorer is not the\r\ndefault web browser.\r\nSets DisableFirstRunCustomize to 1: Prevents Internet Explorer from running the First Run wizard the\r\nfirst time a user starts the browser.\r\nRandomQuery also sets the registry value HKCU\\Software\\Microsoft\\Edge\\IEToEdge\\RedirectionMode to 0,\r\nwhich stops Internet Explorer from redirecting to the Microsoft Edge browser.\r\nRandomQuery configures Internet Explorer\r\nThese Internet Explorer configurations enable the uninterrupted use of the browser by RandomQuery, whose\r\nearlier variants are known to use the InternetExplorer.Application object when communicating with C2\r\nservers. However, the RandomQuery variant we analyzed does not use this object, but leverages\r\nMicrosoft.XMLHTTP for this purpose.\r\nRandomQuery then proceeds to gather and exfiltrate information about the infected platform, structured into three\r\nclasses that the malware refers to as Basic System , Specific Folder , and Process List .\r\nThe malware first gathers system and hardware information using the Win32_ComputerSystem ,\r\nWin32_OperatingSystem , and Win32_Processor WMI classes, such as: computer name, processor speed, OS\r\nversion, and the amount of physical memory available to the system. RandomQuery refers to this information as\r\nBasic System information.\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 4 of 8\n\nRandomQuery gathers Basic System information\r\nRandomQuery then enumerates subdirectories and files within particular directories by specifying them using ID\r\nnumbers of the Windows ShellSpecialFolderConstants enumeration: Desktop (ID 0); Documents (ID 5, for\r\nexample, C:\\Users\\[username]\\Documents ); Favorites (ID 6, for example, C:\\Documents and Settings\\\r\n[username]\\Favorites ); Recent (ID 8, for example, C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Recent ); Program Files (ID 38, for example, C:\\Program\r\nFiles ); Program Files (x86) (ID 42, for example, C:\\Program Files (x86) on 64-bit platforms); and\r\n%USERPROFILE%\\Downloads (ID 40, for example, C:\\Users\\[username]\\Downloads ).\r\nThe malware refers to this information as Specific Folder information: It provides the attackers with a wealth\r\nof user- and platform-related information, such as installed applications, user document details, and frequented\r\nwebsites.\r\nRandomQuery gathers Specific Folder information\r\nRandomQuery also enumerates the process and session IDs of running processes using the Win32_Process WMI\r\nclass. The malware refers to this information as Process List information.\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 5 of 8\n\nRandomQuery gathers Process List information\r\nTo exfiltrate the gathered information, RandomQuery first Base64-encodes it, and then constructs and issues an\r\nHTTP POST request containing the information to a C2 server URL (for example, http[://]file.com-port.space/indeed/show[.]php?query=97 ). We observed that the C2 URLs RandomQuery uses for exfiltration\r\noverlap with the URLs from which RandomQuery itself is downloaded, with a difference in the value of the query\r\nparameter.\r\nRandomQuery exfiltrates information\r\nThe variants we analyzed use c2xkanZvaXU4OTA as a boundary string separating header values from the\r\nexfiltrated information stored in the POST request. Pivoting on this string enabled us to identify additional\r\nRandomQuery variants used by Kimsuky in the past. This is a further indication of the threat group consistently\r\nusing this malware in its targeted campaigns.\r\nThese variants differ to various extents from those we observed in Kimsuky’s latest campaign. This includes\r\nfeatures such as enumeration of deployed security products, focus on Microsoft Word documents when\r\nenumerating files, and execution of additional malicious code. Kimsuky continuously adapts its RandomQuery\r\narsenal to the task at hand, with the current iteration focussing on information exfiltration and file reconnaissance.\r\nInfrastructure\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 6 of 8\n\nKimsuky has made extensive use of less common TLDs during their malicious domain registration process. In our\r\nrecent reporting on Kimsuky’s ReconShark activity, we noted multiple clusters of malicious domains which made\r\nuse of the same technique.\r\nThis latest campaign is tied to infrastructure abusing the .space , .asia , .click , and .online TLD’s,\r\ncombined with domain names mimicking standard .com TLDs. Noteworthy examples include com-def[.]asia ,\r\ncom-www[.]click , and com-otp[.]click . Placed into a full URL path, an average user is less likely to spot\r\nobvious suspicious links.\r\nCampaign-related domain registration timeline\r\nFor this latest campaign, the threat actor used the Japan-based domain registration service Onamae for primary\r\nmalicious domain purchasing. This particular cluster of activity began on May 5th 2023, and continues as of this\r\nreport. ABLENET VPS Hosting is used by the actor following domain registration.\r\nConclusion\r\nWe continue to closely monitor the persistent attacks carried out by Kimsuky and its continuously advancing\r\nattack toolkit. These incidents underscore the ever-changing landscape of North Korean threat groups, whose\r\nremit not only encompasses political espionage but also sabotage and financial threats.\r\nIt is imperative for organizations to familiarize themselves with the TTPs employed by suspected North Korean\r\nstate-sponsored APTs and to adopt appropriate measures to safeguard against such attacks. The correlation\r\nbetween recent malicious activities and a broader range of previously undisclosed operations attributed to North\r\nKorea emphasizes the importance of maintaining a state of constant alertness and fostering collaborative efforts.\r\nIndicators of Compromise\r\nSHA1 Hashes\r\n96d29a2d554b36d6fb7373ae52765850c17b68df\r\n84398dcd52348eec37738b27af9682a3a1a08492\r\n912f875899dd989fbfd64b515060f271546ef94c\r\n49c70c292a634e822300c57305698b56c6275b1c\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 7 of 8\n\n8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c\r\n0288140be88bc3156b692db2516e38f1f2e3f494\r\nDomains\r\ncom-port[.]space\r\ncom-pow[.]click\r\ncom-def[.]asia\r\ncom-www[.]click\r\ncom-otp[.]click\r\ncom-price[.]space\r\nde-file[.]online\r\ncom-people[.]click\r\nkr-angry[.]click\r\nkr-me[.]click\r\ncf-health[.]click\r\ncom-hwp[.]space\r\ncom-view[.]online\r\ncom-in[.]asia\r\nko-asia[.]click\r\ndb-online[.]space\r\nSource: https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nhttps://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/" ], "report_names": [ "kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29987ea26f94f2b09cccb3274c02cd96b822c915.pdf", "text": "https://archive.orkl.eu/29987ea26f94f2b09cccb3274c02cd96b822c915.txt", "img": "https://archive.orkl.eu/29987ea26f94f2b09cccb3274c02cd96b822c915.jpg" } }