Kimsuky, Velvet Chollima - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 16:23:08 UTC
Home > List all groups > Kimsuky, Velvet Chollima
 APT group: Kimsuky, Velvet Chollima
Names
Kimsuky (Kaspersky)
Velvet Chollima (CrowdStrike)
Thallium (Microsoft)
Black Banshee (PWC)
SharpTongue (Volexity)
ITG16 (IBM)
TA406 (Proofpoint)
TA427 (Proofpoint)
APT 43 (Mandiant)
ARCHIPELAGO (Google)
Emerald Sleet (Microsoft)
KTA082 (Kroll)
UAT-5394 (Talos)
Sparkling Pisces (Palo Alto)
Springtail (Symantec)
Larva-24005 (AhnLab)
Larva-25004 (AhnLab)
G0094 (MITRE)
G0086 (MITRE)
Country North Korea
Sponsor State-sponsored
Motivation Information theft and espionage
First seen 2012
Description
(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean th
are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encou
somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is r
many amateur virus-writers and these malware attacks are mostly ignored.
Observed
Sectors: Defense, Education, Energy, Government, Healthcare, Manufacturing, Think Tanks and Ministry of Unification,
and Korea Institute for Defense Analyses.
Countries: Japan, South Korea, Thailand, Ukraine, USA, Vietnam and Europe.
Tools used
AppleSeed, BabyShark, BITTERSWEET, CSPY Downloader, FlowerPower, Gh0st RAT, Gold Dragon, Grease, KGH_SP
Kimsuky, KPortScan, MailPassView, Mechanical, Mimikatz, MoonPeak, MyDogs, Network Password Recovery, ProcDu
ReconShark, Remote Desktop PassView, SHARPEXT, SmallTiger, SniffPass, SWEETDROP, TODDLERSHARK, TRAN
Stealer, VENOMBITE, WebBrowserPassView, xRAT, Living off the Land.
Operations performed
2013
For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean
2014
The South Korean government issued a report today blaming North Korea for network intrusions that stole
Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the
report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of th
after the intrusion. They also threatened 'destruction' in a message posted to Twitter.
Mar 2018
Operation “Baby Coin”
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f
Page 1 of 5

May 2018
Operation “Stolen Pencil”
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil tha
academic institutions since at least May 2018.
Oct 2018
Operation “Mystery Baby”
Nov 2018
The spear phishing emails were written to appear as though they were sent from a nuclear security expert w
works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s na
subject referencing North Korea’s nuclear issues.
Apr 2019
Operation “Smoke Screen”
Jul 2019
Operation “Red Salt”
Jul 2019
In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been tar
South Korean diplomats, government, and military officials.
Targets of this recent campaign include former ambassadors, military generals, and retired members of Sou
Ministry and Unification Ministry.
Feb 2020
We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in Febru
Mar 2020
According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korea
malware inside documents detailing South Korea's response to the COVID-19 epidemic.
The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabySha
strain previously utilized by a North Korean hacker group known as Kimsuky.
Dec 2020
We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign
stock trading application.
Dec 2020
Kimsuky APT continues to target South Korean government using AppleSeed backdoor
2021
Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
May 2021
South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the
of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conduct
nuclear power and nuclear fuel technology.

Jun 2021
North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
Sep 2021
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
Early 2022
Kimsuky’s GoldDragon cluster and its C2 operations
Apr 2022
Operation “Covert Stalker”
Oct 2022
Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
2023
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
Mar 2023
CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
Mar 2023
North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign
Mar 2023
OneNote Malware Disguised as Compensation Form (Kimsuky)
Apr 2023
DPRK hacking groups breach South Korean defense contractors
May 2023
Kimsuky Group Using Meterpreter to Attack Web Servers
May 2023
Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
May 2023
Ongoing Campaign Using Tailored Reconnaissance Toolkit
May 2023
North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media
Jun 2023 Malware Disguised as HWP Document File (Kimsuky)
Jul 2023
Kimsuky Threat Group Using Chrome Remote Desktop
Jul 2023 Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)
Aug 2023
North Korean hackers target U.S.-South Korea military drills, police say

Oct 2023
Kimsuky Threat Group Uses RDP to Control Infected Systems
Nov 2023
Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
Nov 2023
SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)
Dec 2023
Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
2024
Operation “DEEP#GOSU”
Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting
Stealthy Malware
Jan 2024
TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)
Jan 2024
North Korean hackers exploit VPN update flaw to install malware
Mar 2024
Kimsuky deploys TRANSLATEXT to target South Korean academia
May 2024
North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign
May 2024
Springtail: New Linux Backdoor Added to Toolkit
Jun 2024
Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
Jun 2024
MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
Jul 2024
APT Group Kimsuky Targets University Researchers
Sep 2024
North Korea Hackers Linked to Breach of German Missile Manufacturer
Sep 2024
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks
Sep 2024
How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it
Jan 2025
DPRK hackers dupe targets into typing PowerShell commands as admin
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f
Page 4 of 5

Feb 2025
Operation “DEEP#DRIVE”
Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targete
Feb 2025
Phishing Email Attacks by the Larva-24005 Group Targeting Japan
Feb 2025
TA406 Pivots to the Front
Mar 2025
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads
Jun 2025
Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
Counter operations
Dec 2019
Microsoft takes court action against fourth nation-state cybercrime group
Feb 2025
OpenAI bans ChatGPT accounts used by North Korean hackers
Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f
Page 5 of 5