{ "id": "e1c6bbf6-a30a-4ba3-bc9d-deeb03f44782", "created_at": "2026-04-06T00:06:31.256975Z", "updated_at": "2026-04-10T03:38:06.61418Z", "deleted_at": null, "sha1_hash": "482fcaea88cec22fa8cd9ec73d5d5ae28e6ce43b", "title": "Deep-dive: The DarkHotel APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1045757, "plain_text": "Deep-dive: The DarkHotel APT\r\nBy BushidoToken\r\nPublished: 2020-06-14 · Archived: 2026-04-05 16:40:11 UTC\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 1 of 8\n\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 2 of 8\n\nUPDATE - 29.06.2022:\r\nOn 28 June 2022, NKNews.org cited this blog in their research on DarkHotel. In November 2021, I decided to revisit\r\nthis blog and rethink some of the things I said. Parts of this blog are not what I would currently consider analytically\r\nsound. This was written over 2 years ago and my skills and my perspective on this group have changed a lot since\r\nthen.\r\nOriginally published on 14.06.2020\r\nPART 1: DARKHOTEL\r\nDarkHotel is a sophisticated and active advanced persistent threat (APT) group. It’s highly capable and is known for\r\nfinding and taking advantage of previously unknown vulnerabilities in common software also known as a 0day. It is a\r\nwell-established group that has been active since 2007, are known Korean-speakers, and are working on behalf of a\r\nnation state. \r\nDarkHotel was first disclosed in 2014 and is also known as DUBNIUM, Black Shop, Fallout Team, Karba, Luder,\r\nNemim, Nemain, Tapaoux, Pioneer, Shadow Crane, APT-C-06, and TUNGSTEN BRIDGE. From the NSA’s sigs.py\r\nscript (also known as Territorial Dispute or TeDi) DarkHotel is signature number 25 (SIG25). Malware associated with\r\nDarkHotel includes Asruex, Parastic Beast, Inexsmar, Retro backdoor, Gh0st RAT, and the new Ramsay toolkit.\r\nVulnerabilities leveraged in its 0day exploits include CVE-2018-8174, CVE-2018-8373, CVE-2019-1458, CVE-2019-\r\n13720, CVE-2019-17026, and CVE-2020-0674. DarkHotel also often exploits CVE-2017-8570 and CVE-2017-11882,\r\nhigh-risk well-known issues in Microsoft Office.\r\nDarkHotel appropriately earned its name infecting the WiFi networks (WLANs) of hotels typically used by business\r\nexecutives. This was in effort to compromise their devices such as smartphones and laptops that may potentially\r\ncontain intellectual property and the individual’s emails or contact lists. The WLAN of the hotels are compromised\r\nvia leveraging stolen certificates, deploying .HTA files that masquerades as software updates containing the malware.\r\nThe WiFi routers themselves are taken over either by remotely exploiting vulnerabilities or by gaining physical access\r\ninside the targeted hotels. As DarkHotel is state-sponsored it more than likely has capable human operators to deploy\r\nduring its campaign. \r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 3 of 8\n\nThis APT has targeted a wide array of countries in Asia, Europe, North America, and Africa. It primarily focuses on\r\nNorth Korea, South Korea, Japan, and China. Organisations in sectors such as telecommunications, manufacturing,\r\nfinance, pharmaceutical, chemicals, automotive, defence, law enforcement, militaries, and NGOs have all been\r\ncompromised by DarkHotel.\r\nDarkHotel has repeatedly demonstrated its capabilities of developing exploits for 0day vulnerabilities in software\r\nsuch as Google Chrome, Mozilla Firefox, Internet Explorer, and Windows Kernel. The exploits are leveraged to\r\ndeliver malware that can provide backdoor access and remote control over the target device. DarkHotel hides its\r\nmalware behind layers of encryption, obfuscation, and only deploys it in singular attacks so as not to expose its stolen\r\ncertificates or 0day vulnerabilities. This group is a well-established expert at spear-phishing where it has researched its\r\ntargets using OSINT and potentially HUMINT. Its lures have included political news, changes in legislation, and\r\nother business news. \r\nIn November 2014, we saw the first details of the specific activities of the DarkHotel APT. Kaspersky published a\r\nreport detailing a sophisticated cyber-espionage campaign targeting business travelers in the Asia-Pacific region. The\r\ngroup has been around for nearly a decade and some researchers believe its members are Korean speakers. In 2015, it\r\nwas found that DarkHotel was more than likely exploiting a leaked 0day vulnerability from the Italian offensive\r\nsecurity firm, Hacking Team. DarkHotel used  spear-phishing emails with .RAR archives that appear to hold a\r\nharmless-looking .jpg file. If opened, MS paint is launched and its malware is executed in the background. \r\nIn May 2018, DarkHotel was found to be responsible for distributing a 0day for CVE-2018-8174. This attack used\r\nURLMoniker to invoke Internet Explorer via Microsoft Word while ignoring the victim's default browser settings - a\r\npreviously unknown technique. The group also leveraged CVE-2018-8373 later that same year.\r\nIn November 2019, a threat campaign was discovered, dubbed ‘Operation WizardOpium’, which exploited a\r\nvulnerability in Google’s Chrome Browser, tracked as CVE-2019-13720. The exploit was deployed on a Korean-language news portal, the site’s main page had malicious JavaScript injected into it. No threat group has been linked\r\ndirectly to Operation WizardOpium, but similarities in code samples have been correlated with both the Lazarus and\r\nDarkHotel APTs. Part of the attacks included a Microsoft Windows privilege escalation 0day exploit - which was later\r\nassigned CVE-2019-1458 - that utilised the win32k component of the Windows kernel. This bug, CVE-2019-1458,\r\nmeant that the attackers could bypass detection systems on Google Chrome’s sandbox to deploy the other 0day exploit\r\nfor CVE-2019-13720. [1]\r\nMore recently, ESET uncovered a previously unreported cyber-espionage toolkit, dubbed Ramsay, that is tailored for\r\ncollection and exfiltration of sensitive documents and is capable of operating within air-gapped networks. It shares\r\nsimilarities with the Retro backdoor and is linked to DarkHotel. [2]\r\nTencent has further analysed the Ramsay attacks and cross-analysed the IOCs with campaigns it has tracked in the\r\npast. Interestingly, these attacks and those related to the Retro backdoor go as far back as 18 years ago and later\r\nincorporated the Asruex backdoor to attack isolated networks since 2015. Tencent has linked these attacks to\r\nDarkHotel, a threat group that it claims is allegedly working for the National Intelligence Service of the South\r\nKorean government. [3]\r\nThe DarkHotel threat group has launched a large campaign targeting Chinese government agencies and their\r\nemployees. The attacks began in March, and are thought to be using coronavirus-themed lures. The threat actors are\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 4 of 8\n\nusing a 0day vulnerability (tracked as SRC-2020-281) in Sangfor SSL VPN servers to provide remote access to\r\nenterprise and government networks. [4]\r\nSecurity research group RedDrip also found that the DarkHotel threat group developed a new exploit for another\r\nInternet Explorer (IE) vulnerability, CVE-2019-1367, to target China. At the time of reporting, the malicious file being\r\nused to exploit this flaw is currently detected by 18 out of 57 engines on VirusTotal. [5, 6]\r\nIn April 2020, JPCERT found that an APT group was exploiting two vulnerabilities patched earlier this year in Firefox\r\nand Internet Explorer (IE). These attacks have mostly been aimed at China and Japan. The first flaw affects the Firefox\r\nbrowser and is tracked as CVE-2019-17026. The second, designated CVE-2020-0674, is a remote code execution\r\n(RCE) flaw in Internet Explorer. Both bugs were patched in January and February 2020. Both vulnerabilities were\r\nused as part of a campaign aimed at Chinese government agencies and attributed to the DarkHotel APT. This campaign\r\ndelivered the Gh0st RAT malware onto compromised devices. [7]\r\nThreat actors recently attempted to break into the systems of the World Health Organization (WHO). The\r\norganisation reported a significant increase in attacks against it since the start of the coronavirus pandemic. The most\r\nrecent activity was observed around 13 March, when a group of malicious actors launched a fake site impersonating\r\nthe WHO's internal email system. It has not be confirmed who is exactly responsible for the attack but researchers\r\nbelieve that it was the DarkHotel threat group. Further, Kaspersky researchers found that the same infrastructure was\r\nalso used in targeting other healthcare and humanitarian organisations. [8]\r\nPART 2: STARCRUFT\r\nIn mid-2019 ScarCruft APT was also dislcosed by Kaspersky researchers. Their investigation led to uncovering that\r\nit's another Korean-speaking threat actor with several connections to DarkHotel. StarCruft became known for creating\r\nnew tools and techniques to identify Bluetooth devices. These are used for information gathering campaigns and\r\nfinding targets.\r\nStarCruft also developed a new method to steal data from smartphones and created malware that could fingerprint\r\nBluetooth devices using the Windows Bluetooth API. Interestingly, the group's targets include investment and\r\ntrading companies in Vietnam and Russia that have links to North Korea, along with organisations based in Hong\r\nKong and North Korea. [1, 2]\r\nPART 3: HIGAISA\r\nLate last year, a new APT was publicly disclosed by Tencent, dubbed Higaisa. It was initially thought that the group\r\nwas North Korean, but researchers concluded that Higaisa instead originated from South Korea. The Higaisa APT's\r\nmain targets have been government, diplomatic, and trade organisations with links to North Korea. It has carried out\r\nattacks in China, Japan, Russia, Poland, and other nation states. Higaisa is an evolving threat as it began by distributing\r\nexecutable files in an unsophisticated way. Now, however, the group leverages exploits and complex multi-stage\r\ninfection chains with advanced defence evasion techniques.\r\nMore recently COVID-19-themed phishing lures have been linked to Higaisa. The decoy document used in the\r\nattacks, an LNK file disguised as a PDF, contains a World Health Organisation (WHO) situation report regarding\r\nthe spread of COVID-19. If opened, arbitrary commands are executed to download an encrypted payload to initiate the\r\ninfection chain. After several stages of obfuscated payloads, the compromised device is connected to Higaisa’s C\u0026C\r\nserver. Other malware observed in the attacks includes Gh0st RAT that provides backdoor access and remote control\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 5 of 8\n\nfor further post-exploitation activities. A simple infostealer is used to collect system information that also facilitates the\r\nexecution of console commands and relays the responses to the C\u0026C server. Newer Higaisa attacks now leverage the\r\nZeplin collaborative platform in more decoy PDFs disguised as LNK files that also deliver Gh0st RAT.\r\nInterestingly, PT Security researchers found that two of the classes in Higaisa APT's malware code were named\r\n“SK_Parasite” and “NIS_K”. The researchers speculate that these could reference the South Korean film Parasite\r\nand the National Intelligence Service (NIS) of the Republic of Korea. Alone, these are insufficient to draw firm\r\nconclusions; however, they can be seen as circumstantial evidence of a connection with South Korea.[1, 2, 3]\r\nCONCLUSION:\r\nLittle is known about South Korea’s cyber capabilities and nothing has been confirmed. However, DarkHotel has been\r\nlinked to both Higaisa and StarCruft, all of them have some connection to South Korea in one way or another. All\r\nshare similar targets, strategies, and campaigns have led security researchers to conclude that the three groups either\r\nwork alongside one another or are the same group using new tactics.\r\nDarkHotel is one of the most dangerous and active APT actors on the current threat landscape. There is currently not\r\nenough evidence to confidently say DarkHotel belongs to the NIS of the ROK, as APT actors often purposely scatter\r\nfalse flags in their code to lead researchers down a rabbit hole.\r\nNonetheless, DarkHotel's ability to consistently find 0day vulnerabilities and develop exploits for them is a major\r\nsecurity concern for governments and businesses worldwide. All organisations, specifically those with business or\r\ndiplomatic relationships with South Korea must remain cautious of this sophisticated APT, along with the well-established APTs from North Korea such as Lazarus, Kimsuky, Konni, and Reaper.\r\nKaspersky video on Dark Hotel (2014)\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 6 of 8\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIOCs: https://otx.alienvault.com/browse/pulses?q=DarkHotel\r\nSources:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/darkhotel\r\nhttps://securelist.com/the-darkhotel-apt/66779/\r\nhttps://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/ \r\nhttps://s.tencent.com/research/report/1000.html\r\nhttps://s.tencent.com/research/report/741.html\r\nhttps://twitter.com/RedDrip7/status/1247737928953946112\r\nhttps://twitter.com/RedDrip7/status/1222887262234394624\r\nhttps://www.securityweek.com/darkhotel-apt-uses-hacking-team-exploit-target-specific-systems\r\nhttps://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians\r\nhttps://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/3/?source=mmpc\r\nhttps://teamt5.org/newsroom/2020/05/27/teamt5-and-macnica-networks-release-joint-project-on-2019-s-apt-attacks-in-japan.html\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nhttp://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html\r\nhttps://www.virustotal.com/gui/file/be8fdfce55ea701e19ab5dd90ce4104ff11ee3b4890b292c46567d9670b63b82/detection \r\nhttps://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 7 of 8\n\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/ \r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/ \r\nhttps://www.zscaler.com/blogs/research/return-higaisa-apt\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nSource: https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nhttps://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "report_names": [ "deep-dive-darkhotel-apt.html" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2008a79d-2f3a-475f-abef-3bc119a1bf38", "created_at": "2022-10-25T16:07:24.028651Z", "updated_at": "2026-04-10T02:00:04.845194Z", "deleted_at": null, "main_name": "Operation WizardOpium", "aliases": [], "source_name": "ETDA:Operation WizardOpium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "5cd3fcb0-eb56-49ac-8125-47ebee93311d", "created_at": "2023-01-06T13:46:39.065814Z", "updated_at": "2026-04-10T02:00:03.201808Z", "deleted_at": null, "main_name": "Operation WizardOpium", "aliases": [], "source_name": "MISPGALAXY:Operation WizardOpium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433991, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/482fcaea88cec22fa8cd9ec73d5d5ae28e6ce43b.pdf", "text": "https://archive.orkl.eu/482fcaea88cec22fa8cd9ec73d5d5ae28e6ce43b.txt", "img": "https://archive.orkl.eu/482fcaea88cec22fa8cd9ec73d5d5ae28e6ce43b.jpg" } }