{ "id": "c0f4110f-7da2-4cc6-a751-e99afb5b0738", "created_at": "2026-04-06T00:18:21.426803Z", "updated_at": "2026-04-10T03:37:41.165656Z", "deleted_at": null, "sha1_hash": "60308c22e4126b2bd0c1a695ad7d88e3f50c6325", "title": "Kimsuky, Velvet Chollima - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 123825, "plain_text": "Kimsuky, Velvet Chollima - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:23:08 UTC\nHome \u003e List all groups \u003e Kimsuky, Velvet Chollima\n APT group: Kimsuky, Velvet Chollima\nNames\nKimsuky (Kaspersky)\nVelvet Chollima (CrowdStrike)\nThallium (Microsoft)\nBlack Banshee (PWC)\nSharpTongue (Volexity)\nITG16 (IBM)\nTA406 (Proofpoint)\nTA427 (Proofpoint)\nAPT 43 (Mandiant)\nARCHIPELAGO (Google)\nEmerald Sleet (Microsoft)\nKTA082 (Kroll)\nUAT-5394 (Talos)\nSparkling Pisces (Palo Alto)\nSpringtail (Symantec)\nLarva-24005 (AhnLab)\nLarva-25004 (AhnLab)\nG0094 (MITRE)\nG0086 (MITRE)\nCountry North Korea\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2012\nDescription\n(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean th\nare multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encou\nsomewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is r\nmany amateur virus-writers and these malware attacks are mostly ignored.\nObserved\nSectors: Defense, Education, Energy, Government, Healthcare, Manufacturing, Think Tanks and Ministry of Unification,\nand Korea Institute for Defense Analyses.\nCountries: Japan, South Korea, Thailand, Ukraine, USA, Vietnam and Europe.\nTools used\nAppleSeed, BabyShark, BITTERSWEET, CSPY Downloader, FlowerPower, Gh0st RAT, Gold Dragon, Grease, KGH_SP\nKimsuky, KPortScan, MailPassView, Mechanical, Mimikatz, MoonPeak, MyDogs, Network Password Recovery, ProcDu\nReconShark, Remote Desktop PassView, SHARPEXT, SmallTiger, SniffPass, SWEETDROP, TODDLERSHARK, TRAN\nStealer, VENOMBITE, WebBrowserPassView, xRAT, Living off the Land.\nOperations performed\n2013\nFor several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean\n2014\nThe South Korean government issued a report today blaming North Korea for network intrusions that stole\nHydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the\nreport stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of th\nafter the intrusion. They also threatened 'destruction' in a message posted to Twitter.\nMar 2018\nOperation “Baby Coin”\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f\nPage 1 of 5\n\nMay 2018\nOperation “Stolen Pencil”\nASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil tha\nacademic institutions since at least May 2018.\nOct 2018\nOperation “Mystery Baby”\nNov 2018\nThe spear phishing emails were written to appear as though they were sent from a nuclear security expert w\nworks as a consultant for in the U.S. The emails were sent using a public email address with the expert’s na\nsubject referencing North Korea’s nuclear issues.\nApr 2019\nOperation “Smoke Screen”\nJul 2019\nOperation “Red Salt”\nJul 2019\nIn what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been tar\nSouth Korean diplomats, government, and military officials.\nTargets of this recent campaign include former ambassadors, military generals, and retired members of Sou\nMinistry and Unification Ministry.\nFeb 2020\nWe decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in Febru\nMar 2020\nAccording to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korea\nmalware inside documents detailing South Korea's response to the COVID-19 epidemic.\nThe documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabySha\nstrain previously utilized by a North Korean hacker group known as Kimsuky.\nDec 2020\nWe discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign\nstock trading application.\nDec 2020\nKimsuky APT continues to target South Korean government using AppleSeed backdoor\n2021\nTriple Threat: North Korea-Aligned TA406 Steals, Scams and Spies\nMay 2021\nSouth Korean officials said on Friday that hackers believed to be operating out of North Korea breached the\nof the South Korean Atomic Energy Research Institute (KAERI), the government organization that conduct\nnuclear power and nuclear fuel technology.\n\nJun 2021\nNorth Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets\nSep 2021\nSharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”\nEarly 2022\nKimsuky’s GoldDragon cluster and its C2 operations\nApr 2022\nOperation “Covert Stalker”\nOct 2022\nUnveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware\n2023\nKimsuky Evolves Reconnaissance Capabilities in New Global Campaign\nMar 2023\nCHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)\nMar 2023\nNorth Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign\nMar 2023\nOneNote Malware Disguised as Compensation Form (Kimsuky)\nApr 2023\nDPRK hacking groups breach South Korean defense contractors\nMay 2023\nKimsuky Group Using Meterpreter to Attack Web Servers\nMay 2023\nKimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel\nMay 2023\nOngoing Campaign Using Tailored Reconnaissance Toolkit\nMay 2023\nNorth Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media\nJun 2023 Malware Disguised as HWP Document File (Kimsuky)\nJul 2023\nKimsuky Threat Group Using Chrome Remote Desktop\nJul 2023 Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)\nAug 2023\nNorth Korean hackers target U.S.-South Korea military drills, police say\n\nOct 2023\nKimsuky Threat Group Uses RDP to Control Infected Systems\nNov 2023\nKimsuky Targets South Korean Research Institutes with Fake Import Declaration\nNov 2023\nSmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)\nDec 2023\nKimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)\n2024\nOperation “DEEP#GOSU”\nAnalysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting\nStealthy Malware\nJan 2024\nTrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)\nJan 2024\nNorth Korean hackers exploit VPN update flaw to install malware\nMar 2024\nKimsuky deploys TRANSLATEXT to target South Korean academia\nMay 2024\nNorth Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign\nMay 2024\nSpringtail: New Linux Backdoor Added to Toolkit\nJun 2024\nKeylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)\nJun 2024\nMoonPeak malware from North Korean actors unveils new details on attacker infrastructure\nJul 2024\nAPT Group Kimsuky Targets University Researchers\nSep 2024\nNorth Korea Hackers Linked to Breach of German Missile Manufacturer\nSep 2024\nNorth Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks\nSep 2024\nHow North Korean APT groups exploit DMARC misconfigurations — and what you can do about it\nJan 2025\nDPRK hackers dupe targets into typing PowerShell commands as admin\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f\nPage 4 of 5\n\nFeb 2025\nOperation “DEEP#DRIVE”\nAnalyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targete\nFeb 2025\nPhishing Email Attacks by the Larva-24005 Group Targeting Japan\nFeb 2025\nTA406 Pivots to the Front\nMar 2025\nInside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads\nJun 2025\nWarning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)\nCounter operations\nDec 2019\nMicrosoft takes court action against fourth nation-state cybercrime group\nFeb 2025\nOpenAI bans ChatGPT accounts used by North Korean hackers\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f" ], "report_names": [ "showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f" ], "threat_actors": [ { "id": "a02bb810-5dd2-46c1-a609-b44d984d96d0", "created_at": "2022-10-25T15:50:23.505735Z", "updated_at": "2026-04-10T02:00:05.398328Z", "deleted_at": null, "main_name": "Stolen Pencil", "aliases": [ "Stolen Pencil" ], "source_name": "MITRE:Stolen Pencil", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ba8d5b9-9035-4f18-94bc-eb6c7f497382", "created_at": "2025-03-07T02:00:03.800683Z", "updated_at": "2026-04-10T02:00:03.828496Z", "deleted_at": null, "main_name": "Larva-24005", "aliases": [], "source_name": "MISPGALAXY:Larva-24005", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "0e9d99dc-01ad-49a5-8357-5f147d38559b", "created_at": "2024-09-20T02:00:04.587227Z", "updated_at": "2026-04-10T02:00:03.701875Z", "deleted_at": null, "main_name": "UAT-5394", "aliases": [], "source_name": "MISPGALAXY:UAT-5394", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434701, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60308c22e4126b2bd0c1a695ad7d88e3f50c6325.pdf", "text": "https://archive.orkl.eu/60308c22e4126b2bd0c1a695ad7d88e3f50c6325.txt", "img": "https://archive.orkl.eu/60308c22e4126b2bd0c1a695ad7d88e3f50c6325.jpg" } }