{ "id": "c449aeee-5b7c-4df0-9feb-f922526f107c", "created_at": "2026-04-06T01:28:59.055664Z", "updated_at": "2026-04-10T03:37:41.225302Z", "deleted_at": null, "sha1_hash": "5949f8c8dd13eac437f545b420d27f200974df27", "title": "How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43391, "plain_text": "How North Korean APT groups exploit DMARC\r\nmisconfigurations — and what you can do about it\r\nBy Barracuda Networks\r\nPublished: 2024-10-02 · Archived: 2026-04-06 00:06:31 UTC\r\nIn the world of email security, nothing is foolproof — especially when misconfigurations open the door to attacks.\r\nRecently, the North Korean cybercrime group Kimsuky has shown just how dangerous those vulnerabilities can\r\nbe, using poorly configured Domain-based Message Authentication, Reporting \u0026 Conformance (DMARC)\r\npolicies to run spear-phishing campaigns. This isn’t just a geopolitical concern; it’s a reminder that email security\r\nflaws, however small, can be exploited by anyone with malicious intent.\r\nWhat happened?          \r\nKimsuky is an advanced persistent threat (APT) group acting under North Korea’s Reconnaissance General\r\nBureau. This threat actor has been targeting experts in think tanks, media, and academia to collect intelligence.\r\nTheir strategy? Spoofing legitimate domains by bypassing weak or misconfigured DMARC protocols. The FBI\r\nand NSA issued a joint advisory warning about these campaigns, which are designed to extract sensitive\r\ninformation, particularly about foreign policy and nuclear matters.\r\nWhy DMARC matters\r\nDMARC is supposed to protect against these kinds of email-based attacks. It works by verifying the authenticity\r\nof emails using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks. If an email\r\nfails these checks, DMARC tells the email server what to do next — either quarantine, reject, or pass through the\r\nemail based on the set policy.\r\nUnfortunately, DMARC can only do its job if it’s configured correctly. Many organizations set weak or\r\nincomplete DMARC policies, allowing malicious emails to slip through. In the case of Kimsuky, the attackers\r\nused real-looking spoofed emails that passed initial checks, but DMARC was not set up to filter or block these\r\nattempts. The result? Malicious emails land right in the inbox.\r\nThe attack in action\r\nHere’s how it works: Kimsuky starts with an email from what looks like a credible source, such as a university or\r\nresearch institute. The first email might seem harmless, designed to build trust. Once that trust is established, a\r\nsecond email comes in with a malicious attachment or link. In some cases, attackers even manage to access\r\nlegitimate email systems, making their phishing attempts even more convincing.\r\nOne example? A spear-phishing email inviting a target to speak at a North Korea policy conference. The email\r\npassed SPF and DKIM checks because the attackers had access to the legitimate system. But DMARC wasn’t\r\nhttps://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations\r\nPage 1 of 2\n\nconfigured properly, so despite some red flags, the email went through.\r\nMisconfigurations are common — and dangerous\r\nWhat makes this particularly troubling is that DMARC misconfigurations are more common than you’d think.\r\nMany organizations don’t regularly update or monitor their DMARC settings. Some might not even have one in\r\nplace, leaving them wide open to attack. Even when they do, a \"monitor\" policy (which logs threats without taking\r\naction) is far too common. This gives organizations a false sense of security and allows malicious emails to slip\r\nthrough unnoticed.\r\nHow to defend against this\r\nYou need a multilayered defense strategy. Here are three key steps to take:\r\n1. Get your DMARC right: Set your DMARC policy to \"quarantine\" or \"reject\" emails that fail SPF and\r\nDKIM checks. A \"monitor\" policy might seem like a safe first step, but without action, you're still exposed.\r\n2. Invest in AI-driven solutions: Email threats are becoming more sophisticated, and DMARC alone may\r\nnot be enough. Barracuda’s AI-driven email protection solutions, for instance, can detect unusual email\r\npatterns and suspicious behaviors, even when they seem to pass traditional checks.\r\n3. Train your team: Humans are often the weakest link in the security chain. Regular phishing simulations\r\nand training can significantly reduce the risk of someone clicking on a malicious email. Barracuda\r\nPhishing and Impersonation Protection can help your employees recognize red flags before it's too late.\r\nThe bottom line\r\nCyber-espionage groups like Kimsuky are constantly looking for ways to exploit weak spots in email security.\r\nDMARC misconfigurations provide an easy in. But with the right tools, configurations, and training, you can\r\nclose those gaps and keep your organization safe. Whether you’re worried about nation-state actors or more\r\ncommon cybercriminals, getting email security right is non-negotiable. And for companies like yours, every layer\r\nof security matters.\r\nSource: https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations\r\nhttps://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations" ], "report_names": [ "north-korean-apt-groups-dmarc-misconfigurations" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438939, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5949f8c8dd13eac437f545b420d27f200974df27.pdf", "text": "https://archive.orkl.eu/5949f8c8dd13eac437f545b420d27f200974df27.txt", "img": "https://archive.orkl.eu/5949f8c8dd13eac437f545b420d27f200974df27.jpg" } }