{ "id": "c2b73273-a4df-4331-998a-241d4eceb25b", "created_at": "2026-04-06T00:06:12.875746Z", "updated_at": "2026-04-10T03:37:41.171898Z", "deleted_at": null, "sha1_hash": "4d9d291c498822bdff7d0f388e6667ed167c043c", "title": "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1859653, "plain_text": "Kimsuky Strikes Again | New Social Engineering Campaign Aims\r\nto Steal Credentials and Gather Strategic Intelligence\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-06-06 · Archived: 2026-04-05 19:09:30 UTC\r\nExecutive Summary\r\nSentinelLABS has been tracking a social engineering campaign by the North Korean APT group Kimsuky\r\ntargeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.\r\nThe campaign has the objective of stealing Google and subscription credentials of a reputable news and\r\nanalysis service focusing on North Korea, as well as delivering reconnaissance malware.\r\nKimsuky engages in extensive email correspondence and uses spoofed URLs, websites imitating legitimate\r\nweb platforms, and Office documents weaponized with the ReconShark malware.\r\nThis activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s\r\nincreasing interest in gathering strategic intelligence.\r\nOverview\r\nIn collaboration with NK News, a leading subscription-based service that provides news and analyses about North\r\nKorea, SentinelLABS has been tracking a targeted social engineering campaign against experts in North Korean\r\naffairs from the non-government sector. The campaign focuses on theft of email credentials, delivery of\r\nreconnaissance malware, and theft of NK News subscription credentials. Based on the used malware,\r\ninfrastructure, and tactics, we assess with high confidence that the campaign has been orchestrated by the\r\nKimsuky threat actor.\r\nThe social engineering tactics and some infrastructure characteristics closely relate to a Kimsuky activity privately\r\nreported by PwC and discussed in an NSA advisory published during the writing of this article. We focus on the\r\nspecific targeting of expert analysts of North Korean affairs by impersonating NK News and stealing NK News\r\ncredentials, and provide details on used TTPs to support collaborative hunting and detection efforts.\r\nKimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the\r\ninterests of the North Korean government, is known for its global targeting of organizations and individuals.\r\nOperating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather\r\nintelligence and access sensitive information.\r\nA hallmark of the activity we discuss in this post is Kimsuky’s focus on establishing initial contact and developing\r\na rapport with their targets prior to initiating malicious activities. As part of their initial contact strategy, the group\r\nimpersonated Chad O’Carroll, the founder of NK News and the associated holding company Korea Risk Group,\r\nusing an attacker-created domain, nknews[.]pro , which closely resembles the legitimate NK News domain\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 1 of 9\n\nnknews.org . The initial email requests the review of a draft article analyzing the nuclear threat posed by North\r\nKorea.\r\nIf the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google\r\ndocument, which redirects to a malicious website specifically crafted to capture Google credentials. Kimsuky may\r\nalso deliver a weaponized Office document that executes the ReconShark reconnaissance malware.\r\nFurther, Kimsuky’s objective extends to the theft of subscription credentials from NK News. To achieve this, the\r\ngroup distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro , which\r\nmasquerades as the authentic NK News site. The login form that is presented to the target is designed to capture\r\nentered credentials.\r\nThis Kimsuky activity indicates the group’s growing efforts to establish early communication and foster trust with\r\ntheir targets prior to initiating malicious operations, including the delivery of malware. Their approach highlights\r\nthe group’s commitment to creating a sense of rapport with the individuals they target, potentially increasing the\r\nsuccess rate of their subsequent malicious activities.\r\nBy actively targeting high-profile experts in North Korean affairs and stealing subscription credentials from\r\nprominent news and analysis outlets focussing on North Korea, Kimsuky demonstrates a heightened curiosity in\r\nunderstanding how the international community perceives developments concerning North Korea, such as the\r\ncountry’s military activities. These actions are probably part of their broader objective to gather strategic\r\nintelligence, contributing to North Korea’s decision-making processes.\r\nGoogle Credential Theft\r\nWe observed Kimsuky distributing an HTML-formatted phishing email to selected individuals, which requests the\r\nreview of a draft article analyzing the nuclear threat posed by North Korea. The email primarily aims to initiate a\r\nsubsequent conversation and is intentionally designed to appear benign: It impersonates NK News leadership and\r\nlacks any malicious artifacts.\r\nInitial email\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 2 of 9\n\nIf the target engages in the conversation, Kimsuky eventually follows up with an email that contains an URL to a\r\nGoogle document.\r\nFollow-up email\r\nIf the target is not responsive, Kimsuky follows up with a reminder email in an attempt to engage the target in\r\nconversation.\r\nReminder email\r\nThe URL’s destination is manipulated through the spoofing technique of setting the href HTML property to\r\ndirect to a website created by Kimsuky. This method, commonly employed in phishing attacks, creates a\r\ndiscrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website\r\nvisited upon clicking the URL.\r\nThe displayed URL to a Google document points to an actual article hosted on Google Docs, delving into the topic\r\nof the North Korean nuclear threat. The article contains visible edits to give the impression of a genuine draft\r\narticle, aligning with Kimsuky’s luring tactic.\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 3 of 9\n\nGoogle document\r\nThe spoofed destination of the URL redirects the target to an attacker-created website that masquerades as a\r\nlegitimate Google Docs site for requesting document access, such as\r\nhttps[://]drive-google[.]shanumedia[.]com/pdf/ul/ji78fghJHKtgfLKJIO/s2.php?menu=ZGFu[...]vbQ==\r\nThe Base-64 encoded segment, that is, the value of the menu URL query parameter, resolves to the target’s email\r\naddress.\r\nThis serves as a means of transporting the target’s address to the fake Google Docs site, which enables the site to\r\ndynamically display the address, creating a personalized and convincing appearance of legitimacy. The design and\r\nfunctionality of this site suggest its potential for reuse in targeting different individuals.\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 4 of 9\n\nMalicious Google Docs site\r\nWe were unable to analyze the functionality behind the Request access web element as the group has taken\r\ndown the site. However, given the theme of the site, we suspect that it has been designed to capture entered\r\nGoogle credentials.\r\nDuring conversations with targeted individuals, Kimsuky also seizes any available opportunity to distribute\r\npassword-protected weaponized Office documents that deploy the ReconShark reconnaissance malware.\r\nReconShark exfiltrates information relevant for conducting subsequent precision attacks, such as deployed\r\ndetection mechanisms and hardware information. The implementation of the ReconShark variant we observed in\r\nthis activity remains the same as the one covered in our previous post on Kimsuky activity, with the main\r\ndistinction being the use of a different C2 server: staradvertiser[.]store . This domain resolves to the IP\r\naddress 162.0.209[.]27 , which has hosted domains that have been attributed to Kimsuky in previous research,\r\nsuch as sesorin[.]lol and rfa[.]ink . Kimsuky’s use of ReconShark as part of this activity underscores the\r\nmalware’s central role within the group’s current operational playbook.\r\nNK News Credential Theft\r\nWe also observed Kimsuky attempting to steal credentials for the subscription service of NK News, which is\r\nknown for its comprehensive expert analyses and news reports. Gaining access to such reports would provide\r\nKimsuky with valuable insights into how the international community assesses and interprets developments\r\nrelated to North Korea, contributing to their broader strategic intelligence-gathering initiatives.\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 5 of 9\n\nIn order to accomplish this, Kimsuky distributes an email that lure targeted individuals to log in to a spoofed NK\r\nNews subscription service. The emails prompt the recipients to confirm their NK News accounts under the pretext\r\nof recent security updates.\r\nPhishing Email\r\nThe fake login site, hosted at https[://]www.nknews[.]pro/ip/register/ , features a login form with the\r\nstandard web elements, such as Sign In , Sign Up , and Forgot Password? buttons. When clicked, the Sign\r\nIn button executes the loginAct JavaScript function, whereas the rest of the buttons do not conduct any\r\nactivities.\r\nFake NK News login site\r\nThe JavaScript code captures entered credentials by issuing an HTTP POST request to\r\nhttps[://]www.nknews[.]pro/ip/register/login[.]php and then redirects the user to the legitimate NK News\r\nsite.\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 6 of 9\n\nJavaScript code\r\nThe main website hosted at https[://]www.nknews[.]pro redirects to the legitimate NK News site,\r\nhttps://nknews.org , and uses a certificate issued by Sectigo:\r\nThumbprint: a1597d197e9b084a043ada5c7dac1f9b6d7f7af3\r\nSerial number: 00f342582c9a299acf2452aaf5115c5be0\r\nThe domain nknews[.]pro , registered through Namecheap, also resolves to the Kimsuky-linked IP address\r\n162.0.209[.]27 . The URL https[://]www.nknews[.]pro/config[.]php hosts a password-protected remote\r\nmanagement site, which is likely an implementation of the b374k tool, based on the implementation of the login\r\nsite and the presence of the config.php file. The Kimsuky group is known to use this tool for remote\r\nmanagement of its infrastructure.\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 7 of 9\n\nb374k login site\r\nConclusion\r\nSentinelLABS remains actively engaged in monitoring the activities conducted by Kimsuky. The findings\r\npresented in this post highlight the group’s persistent commitment to targeted social engineering attacks and\r\nunderscore the need for increased awareness and understanding of Kimsuky’s tactics among potential targets.\r\nMaintaining vigilance and implementing effective security measures are imperative to mitigate the risks posed by\r\nthis persistent threat actor.\r\nIndicators of Compromise\r\nIndicator Description\r\nnknews[.]pro Phishing email sender domain\r\nchad.ocarroll@nknews[.]pro Phishing email sender address\r\nmembership@nknews[.]pro Phishing email sender address\r\nhttps[://]www.nknews[.]pro Website impersonating NK News\r\nhttps[://]www.nknews[.]pro/config[.]php\r\nWebsite impersonating NK News: b374k login\r\nsite\r\nhttps[://]www.nknews[.]pro/ip/register/\r\nWebsite impersonating NK News: Fake NK News\r\nlogin site\r\nhttps[://]www.nknews[.]pro/ip/register/login[.]php\r\nWebsite impersonating NK News: NK News\r\ncredential theft endpoint\r\nhttps[://]staradvertiser.store/piece/ca[.]php ReconShark payload hosting endpoint\r\nhttps[://]staradvertiser.store/piece/r[.]php ReconShark C2 server endpoint\r\n162.0.209[.]27\r\nWebsite impersonating NK News, ReconShark C2\r\nserver: IP address\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 8 of 9\n\n4150B40C00D8AB2E960AA059159149AF3F9ADA09\r\nMalicious document (password-protected): SHA1\r\nhash\r\n7514FD9E5667FC5085373704FE2EA959258C7595 Malicious document: SHA1 hash\r\n41E39162AE3A6370B1100BE2B35BB09E2CBE9782 ReconShark: SHA1 hash\r\nSource: https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligen\r\nce/\r\nhttps://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/" ], "report_names": [ "kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d9d291c498822bdff7d0f388e6667ed167c043c.pdf", "text": "https://archive.orkl.eu/4d9d291c498822bdff7d0f388e6667ed167c043c.txt", "img": "https://archive.orkl.eu/4d9d291c498822bdff7d0f388e6667ed167c043c.jpg" } }