{ "id": "7009362e-59c6-4500-8716-b89f2479b238", "created_at": "2026-04-06T00:14:57.071384Z", "updated_at": "2026-04-10T13:12:47.252278Z", "deleted_at": null, "sha1_hash": "5ed4f9c96a95bab2e3097e06c62cc894324d18c3", "title": "North Korean Advanced Persistent Threat Focus: Kimsuky | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230860, "plain_text": "North Korean Advanced Persistent Threat Focus: Kimsuky | CISA\r\nPublished: 2020-10-27 · Archived: 2026-04-05 15:12:37 UTC\r\nSummary\r\nThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 7\r\nframework. See the ATT\u0026CK for Enterprise version 7 for all referenced threat actor tactics and techniques.\r\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency\r\n(CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force\r\n(CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced\r\npersistent threat (APT) group Kimsuky —against worldwide targets—to gain intelligence on various topics of\r\ninterest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North\r\nKorean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps://www.us-cert.cisa.gov/northkorea.\r\nThis advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July\r\n2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from\r\nNorth Korean APT activity.\r\nClick here for a PDF version of this report.\r\nKey Findings\r\nThis advisory’s key findings are:\r\nThe Kimsuky APT group has most likely been operating since 2012.\r\nKimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.\r\nKimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate\r\ndesired information from victims.[1 ],[2 ]\r\nKimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3 ]\r\nKimsuky conducts its intelligence collection activities against individuals and organizations in South\r\nKorea, Japan, and the United States.\r\nKimsuky focuses its intelligence collection activities on foreign policy and national security issues related\r\nto the Korean peninsula, nuclear policy, and sanctions.\r\nKimsuky specifically targets:\r\nIndividuals identified as experts in various fields,\r\nThink tanks, and\r\nSouth Korean government entities.[4 ],[5 ],[6 ],[7 ],[8 ]\r\nCISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their\r\ndefenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards\r\nagainst spearphishing, use of multi-factor authentication, and user awareness training.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 1 of 11\n\nTechnical Details\r\nInitial Access\r\nKimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001 ] to\r\nvictim networks.[9 ],[10 ],[11 ] Spearphishing—with a malicious attachment embedded in the email—is the\r\nmost observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001 ]).[12 ],[13 ]\r\nThe APT group has used web hosting credentials—stolen from victims outside of their usual targets—to\r\nhost their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via\r\nspearphishing and credential harvesting scripts. On the victim domains, they have created subdomains\r\nmimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]\r\nKimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a\r\nfollow-on email with a malicious attachment or link.\r\nPosing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails\r\nwith their intended target to ostensibly arrange an interview date and possibly build rapport. The\r\nemails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and\r\nbegan with a request to have the recipient appear as a guest on the show. The APT group invited the\r\ntargets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on\r\nthe Korean Peninsula.\r\nAfter a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious\r\ndocument, either as an attachment or as a Google Drive link within the body. The document usually\r\ncontained a variant of BabyShark malware (see the Execution section for information on\r\nBabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the\r\ninterview.\r\nKimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target,\r\nsuch as COVID-19, the North Korean nuclear program, or media interviews.[15 ],[16 ],[17 ]\r\nKimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails,\r\nwatering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious\r\nbrowser extensions (Phishing: Spearphising Link [T1566.002 ], Drive-by Compromise [T1189 ], Man-in-the-Browser [T1185 ]).[18 ]\r\nExecution\r\nAfter obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command\r\nShell for Execution [TA0002 ].\r\nBabyShark is Visual Basic Script (VBS)-based malware.\r\nFirst, the compromised host system uses the native Microsoft Windows utility, mshta.exe , to\r\ndownload and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy\r\nExecution: Mshta [T1218.005 ]).\r\nThe HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 2 of 11\n\nThe script maintains Persistence [TA0003 ] by creating a Registry key that runs on startup (Boot\r\nor Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001 ]).\r\nIt then collects system information (System Information Discovery [T1082 ]), sends it to the\r\noperator’s command control (C2) servers, and awaits further commands.[19 ],[20 ],[21 ],[22\r\n]\r\nOpen-source reporting indicates BabyShark is delivered via an email message containing a link or an\r\nattachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002 ],\r\nPhishing: Spearphishing Attachment [T1566.001 ]). Kimsuky tailors email phishing messages to match\r\nits targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.\r\n[23 ]\r\nKimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a\r\ncomputer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001 ]).\r\nPowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or\r\nmshta.exe .[24 ],[25 ],[26 ],[27 ]\r\nPersistence\r\nKimsuky has demonstrated the ability to establish Persistence [TA0003 ] through using malicious browser\r\nextensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol\r\n(RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain\r\nlogin and password information and/or launch malware outside of some application allowlisting solutions.\r\nIn 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect\r\nvictims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185 ]). The\r\nextension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or\r\nwas negative. The reviews were likely left by compromised Google+ accounts.[28 ]\r\nKimsuky may install a new service that can execute at startup by using utilities to interact with services or\r\nby directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547 ]). The service name\r\nmay be disguised with the name from a related operating system function or by masquerading as benign\r\nsoftware. Services may be created with administrator privileges but are executed under system privileges,\r\nso an adversary can also use a service to escalate privileges from Administrator to System. They can also\r\ndirectly start services through Service Execution.[29 ],[30 ]\r\nDuring the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a\r\ntool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules\r\n(Remote Services: Remote Desktop Protocol [T1021.001 ]).[31 ]\r\nKimsuky uses a document stealer module that changes the default program associated with Hangul Word\r\nProcessor (HWP) documents ( .hwp files) in the Registry (Event Triggered Execution: Change Default\r\nFile Association [T1546.001 ]). Kimsuky manipulates the default Registry setting to open a malicious\r\nprogram instead of the legitimate HWP program (HWP is a Korean word processor). The malware will\r\nread and email the content from HWP documents before the legitimate HWP program ultimately opens the\r\ndocument.[32 ] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx\r\nfile rather than .hwp and will tailor their macros accordingly.[33]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 3 of 11\n\nKimsuky maintains access to compromised domains by uploading actor-modified versions of open-source\r\nHypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download,\r\nand delete files and directories on the compromised domains (Server Software Component: Web Shell\r\n[T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]\r\nPrivilege Escalation\r\nKimsuky uses well-known methods for Privilege Escalation [TA0004 ]. These methods include placing scripts\r\nin the Startup folder, creating and running new services, changing default file associations, and injecting malicious\r\ncode in explorer.exe .\r\nKimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account\r\nControl to inject malicious code into explorer.exe (Process Injection [T1055 ]). This malicious code\r\ndecrypts its spying library—a collection of keystroke logging and remote control access tools and remote\r\ncontrol download and execution tools—from resources, regardless of the victim’s operating system. It then\r\nsaves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp ) in\r\nthe user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even\r\nafter a reboot. This allows for the escalation of privileges.[35]\r\nBefore the injection takes place, the malware sets the necessary privileges (see figure 1). The malware\r\nwrites the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by\r\ncreating a remote thread within explorer.exe (Process Injection [T1055 ]).[36 ]\r\nFigure 1: Privileges set for the injection [37 ]\r\nDefense Evasion\r\nKimsuky uses well-known and widely available methods for Defense Evasion [TA0005 ] within a network.\r\nThese methods include disabling security tools, deleting files, and using Metasploit.[38],[39 ]\r\nKimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see\r\nfigure 2). This disables the Windows system firewall and turns off the Windows Security Center service,\r\nwhich prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair\r\nDefenses: Disable or Modify System Firewall [T1562.004 ]).[40]\r\nFigure 2: Disabled firewall values in the Registry [41]\r\nKimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server\r\n(Indicator Removal on Host: File Deletion [T1070.004 ]).[42]\r\nKimsuky has used mshta.exe , which is a utility that executes Microsoft HTAs. It can be used for proxy\r\nexecution of malicious .hta files and JavaScript or VBS through a trusted windows utility (Signed\r\nBinary Proxy Execution: Mshta [T1218.005 ]). It can also be used to bypass application allow listing\r\nsolutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002 ]).[43 ],[44\r\n]\r\nWin7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve\r\nis a part of the Metasploit framework open-source code and is used to inject malicious code into\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 4 of 11\n\nexplorer.exe (Process Injection [T1055 ]). The malicious code decrypts its spying library from resources,\r\nsaves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and\r\nloads the file as a library.[45 ],[46 ],[47 ]\r\nCredential Access\r\nKimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and\r\nkeyloggers (Credential Access [TA0006 ]).\r\nKimsuky uses memory dump programs instead of using well-known malicious software and performs the\r\ncredential extraction offline. Kimsuky uses ProcDump , a Windows command line administration tool, also\r\navailable for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain\r\ncriteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003 ]).\r\nProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information\r\nto a Word document saved on the computer. It can be used as a general process dump utility that actors can\r\nembed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.[48]\r\nAccording to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords\r\nand cookies from browsers (Man-in-the-Browser [T1185 ]).[49 ],[50 ] The spearphishing email\r\ndirects a victim to a phishing site, where the victim is shown a benign PDF document but is not able to\r\nview it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension,\r\nwhich has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js ,\r\nfrom a separate site (see figure 3).[51 ]\r\nFigure 3: JavaScript file, named jQuery.js [52 ]\r\nKimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool,\r\nnamed Nirsoft SniffPass (Input Capture: Keylogging [T1056.001 ], Network Sniffing [T1040 ]).\r\nMECHANICAL logs keystrokes to %userprofile%\\appdata\\roaming\\apach.{txt,log} and is also a\r\n\"cryptojacker,\" which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is\r\ncapable of obtaining passwords sent over non-secure protocols.[53 ]\r\nKimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine\r\nweb traffic between the victim and the website accessed by the victims and to collect any credentials\r\nentered by the victim.[54]\r\nDiscovery\r\nKimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery\r\n[TA0007 ]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the\r\nfile structure and system information (File and Directory Discovery [T1083 ]). The information is directed to\r\nC:\\WINDOWS\\msdatl3.inc , read by malware, and likely emailed to the malware’s command server.[55]\r\nCollection\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 5 of 11\n\nKimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection\r\n[TA0009 ]). The HWP document malware changes the default program association in the Registry to open HWP\r\ndocuments (Event Triggered Execution: Change Default File Association [T1546.001 ]). When a user opens an\r\nHWP file, the Registry key change triggers the execution of malware that opens the HWP document and then\r\nsends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user\r\nto open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts\r\nkeystrokes and writes them to C:\\Program Files\\Common Files\\System\\Ole DB\\msolui80.inc and records the\r\nactive window name where the user pressed keys (Input Capture: Keylogging [T1056.001 ]). There is another\r\nkeylogger variant that logs keystrokes into C:\\WINDOWS\\setup.log .[56]\r\nKimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2\r\nserver (Command and Scripting Interpreter: Python [T1059.006] ). The Python program downloads various\r\nimplants based on C2 options specified after the filedown.php (see figure 4).\r\nFigure 4: Python Script targeting MacOS [57]\r\nCommand and Control\r\nKimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011 ]\r\n(Remote Access Software [T1219 ]). During the initial infection, the service “Remote Access Service” is created\r\nand adjusted to execute C:\\Windows\\System32\\vcmon.exe at system startup (Boot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder [T1547.001 ]). Every time vcmon.exe is executed, it disables the firewall\r\nby zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004 ]). The\r\nprogram then modifies the TeamViewer Registry settings by changing the TeamViewer strings in TeamViewer\r\ncomponents. The launcher then configures several Registry values, including SecurityPasswordAES , that control\r\nhow the remote access tool will work. The SecurityPasswordAES Registry value represents a hash of the\r\npassword used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the\r\nHash [T1550.002 ]). This way, the attackers set a pre-shared authentication value to have access to the\r\nTeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe .[58]\r\nKimsuky has been using a consistent format. In the URL used recently— express[.]php?op=1 —there appears to\r\nbe an option range from 1 to 3.[59]\r\nExfiltration\r\nOpen-source reporting from cybersecurity companies describes two different methods Kimsuky has used to\r\nexfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-\r\nbytes buffer (Exfiltration [TA0010 ]).\r\nThere was no indication that the actor destroyed computers during the observed exfiltrations, suggesting\r\nKimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for\r\nsending or receiving exfiltrated information is through email, with their malware on the victim machine\r\nencrypting the data before sending it to a C2 server (Archive Collected Data [T1560 ]).  Kimsuky also sets up\r\nauto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003 ]).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 6 of 11\n\nKimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate\r\nstolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001 ]).\r\nKimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting\r\ndata file is saved in C:\\Program Files\\Common Files\\System\\Ole DB\\ (Data Staged: Local Data Staging\r\n[T1074.001 ]).[60]\r\nMitigations\r\nIndicators of Compromise\r\nKimsuky has used the domains listed in table 1 to carry out its objectives:\r\nFor a downloadable copy of IOCs, see AA20-301A.stix.\r\nTable 1: Domains used by Kimsuky\r\nlogin.bignaver[.]com nytimes.onekma[.]com webuserinfo[.]com\r\nmember.navier.pe[.]hu nid.naver.onektx[.]com pro-navor[.]com\r\ncloudnaver[.]com read.tongilmoney[.]com naver[.]pw\r\nresetprofile[.]com nid.naver.unicrefia[.]com daurn[.]org\r\nservicenidnaver[.]com mail.unifsc[[.]com naver.com[.]de\r\naccount.daurn.pe[.]hu member.daum.unikortv[.]com ns.onekorea[.]me\r\nlogin.daum.unikortv[.]com securetymail[.]com riaver[.]site\r\naccount.daum.unikortv[.]com help-navers[.]com mailsnaver[.]com\r\ndaum.unikortv[.]com beyondparallel.sslport[.]work cloudmail[.]cloud\r\nmember.daum.uniex[.]kr comment.poulsen[.]work helpnaver[.]com\r\njonga[.]ml impression.poulsen[.]work view-naver[.]com\r\nmyaccounts.gmail.kr-infos[.]com\r\nstatement.poulsen[.]work view-hanmail[.]net\r\nnaver.hol[.]es demand.poulsen[.]work\r\nlogin.daum.net-accounts[.]info\r\ndept-dr.lab.hol[.]es sankei.sslport[.]work read-hanmail[.]net\r\nDaurn.pe[.]hu sts.desk-top[.]work net.tm[.]ro\r\nBigfile.pe[.]hu hogy.desk-top[.]work daum.net[.]pl\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 7 of 11\n\nCdaum.pe[.]hu kooo[.]gq usernaver[.]com\r\neastsea.or[.]kr tiosuaking[.]com naver.com[.]ec\r\nmyaccount.nkaac[.]net help.unikoreas[.]kr naver.com[.]mx\r\nnaver.koreagov[.]com resultview[.]com naver.com[.]se\r\nnaver.onegov[.]com account.daum.unikftc[.]kr naver.com[.]cm\r\nmember-authorize[.]com ww-naver[.]com nid.naver.com[.]se\r\nnaver.unibok[.]kr vilene.desk-top[.]work csnaver[.]com\r\nnid.naver.unibok[.]kr amberalexander.ghtdev[.]com nidnaver[.]email\r\nread-naver[.]com nidnaver[.]net cooper[.]center\r\ndubai-1[.]com coinone.co[.]in nidlogin.naver.corper[.]be\r\namberalexander.ghtdev[.]com naver.com[.]pl nid.naver.corper[.]be\r\ngloole[.]net naver[.]cx naverdns[.]co\r\nsmtper[.]org smtper[.]cz naver.co[.]in\r\nlogin.daum.kcrct[.]ml myetherwallet.com[.]mx downloadman06[.]com\r\nlogin.outlook.kcrct[.]ml myetherwallet.co[.]in loadmanager07[.]com\r\ntop.naver.onekda[.]com com-download[.]work com-option[.]work\r\ncom-sslnet[.]work com-vps[.]work com-ssl[.]work\r\ndesk-top[.]work intemet[.]work jp-ssl[.]work\r\norg-vip[.]work sslport[.]work sslserver[.]work\r\nssltop[.]work taplist[.]work vpstop[.]work\r\nwebmain[.]work\r\npreview.manage.org-view[.]workintranet.ohchr.account-protect[.]work\r\nTable 2: Redacted domains used by Kimsuky\r\n[REDACTED]/home/dwn[.]php?\r\nvan=101\r\n[REDACTED]/home/dwn[.]php?\r\nv%20an=101\r\n[REDACTED]/home/dwn[.]php?\r\nvan=102\r\n[REDACTED]/home/up[.]php?\r\nid=NQDPDE\r\n[REDACTED]/test/Update[.]php?\r\nwShell=201\r\n \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 8 of 11\n\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding\r\nthe incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nDISCLAIMER\r\nThis information is provided \"as is\" for informational purposes only. The United States Government does not\r\nprovide any warranties of any kind regarding this information. In no event shall the United States Government or\r\nits contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special\r\nor consequential damages, arising out of, resulting from, or in any way connected with this information, whether\r\nor not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or\r\nnot injury was sustained from, or arose out of the results of, or reliance upon the information.\r\nThe United States Government does not endorse any commercial product or service, including any subjects of\r\nanalysis. Any reference to specific commercial products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the\r\nUnited States Government.\r\nReferences\r\n[1] Netscout: Stolen Pencil Campaign Targets Academia\r\n[2] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries\r\n[3] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries\r\n[4] Netscout: Stolen Pencil Campaign Targets Academia\r\n[5] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[6] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities\r\n[7] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[8] CrowdStrike: 2020 Global Threat Report\r\n[9] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure\r\n[10] PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2\r\n[11] CrowdStrike: 2020 Global Threat Report\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 9 of 11\n\n[12] Netscout: Stolen Pencil Campaign Targets Academia\r\n[13] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[15] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries\r\n[16] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure\r\n[17] cyberscoop: North Korea could accelerate commercial espionage to meet Kim’s economic deadline\r\n[18] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[19] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries\r\n[20] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[21] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks\r\n[22] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks\r\n[23] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries\r\n[24] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[25] Palo Alto Networks Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and\r\nPCRat\r\n[26] McAfee: What is mshta, how can it be used and how to protect against it\r\n[27] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks\r\n[28] Netscout: Stolen Pencil Campaign Targets Academia\r\n[29] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[30] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks\r\n[31] Netscout: Stolen Pencil Campaign Targets Academia\r\n[32] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[35] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[36] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs\r\n[37] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs\r\n[38] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[39] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[40] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 10 of 11\n\n[41] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[42] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[43] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[44] McAfee: What is mshta, how can it be used and how to protect against it\r\n[45] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities\r\n[46] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[47] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[48] Detecting credential theft through memory access modelling with Microsoft Defender ATP\r\n[49] MITRE ATT\u0026CK: Groups – Kimsuky\r\n[50] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims\r\n[51] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims\r\n[52] Netscout: Stolen Pencil Campaign Targets Academia\r\n[53] Netscout: Stolen Pencil Campaign Targets Academia\r\n[55] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[56] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[58] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\n[60] Securelist: The “Kimsuky” Operation: A North Korean APT?\r\nRevisions\r\nOctober 27, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-301a\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" ], "report_names": [ "aa20-301a" ], "threat_actors": [ { "id": "a02bb810-5dd2-46c1-a609-b44d984d96d0", "created_at": "2022-10-25T15:50:23.505735Z", "updated_at": "2026-04-10T02:00:05.398328Z", "deleted_at": null, "main_name": "Stolen Pencil", "aliases": [ "Stolen Pencil" ], "source_name": "MITRE:Stolen Pencil", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434497, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ed4f9c96a95bab2e3097e06c62cc894324d18c3.pdf", "text": "https://archive.orkl.eu/5ed4f9c96a95bab2e3097e06c62cc894324d18c3.txt", "img": "https://archive.orkl.eu/5ed4f9c96a95bab2e3097e06c62cc894324d18c3.jpg" } }