{
	"id": "44282bb5-b487-4bcf-8ffa-2a239f2fafa6",
	"created_at": "2026-04-06T00:07:35.799087Z",
	"updated_at": "2026-04-10T13:11:37.160079Z",
	"deleted_at": null,
	"sha1_hash": "9c1d7e0ef17c685e48f4cd36f12abb92a0f19025",
	"title": "Rewterz Threat Alert –North Korean APT Kimsuky Aka Black Banshee - Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42349,
	"plain_text": "Rewterz Threat Alert –North Korean APT Kimsuky Aka Black\r\nBanshee - Active IOCs - Rewterz\r\nPublished: 2024-01-23 · Archived: 2026-04-02 10:37:17 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nKimsuky is a North Korean advanced persistent threat (APT) group, also known as “Black Banshee”. The group\r\nhas been active since at least 2012 and is believed to be state-sponsored. Kimsuky is known for conducting cyber\r\nespionage operations and targeting organizations and individuals in various countries, including South Korea,\r\nJapan, and the United States. The group has been observed using various techniques to compromise its targets,\r\nsuch as phishing attacks, malware infections, and supply chain attacks. The group’s ultimate goals and motivations\r\nare not well understood, but they are generally believed to be focused on intelligence gathering and political or\r\neconomic gain. The tactics, techniques, and procedures (TTPs) used by the Kimsuky APT group are constantly\r\nevolving, but some of their most commonly used methods include:\r\nPhishing attacks: The group has been known to send phishing emails that contain malicious attachments or\r\nlinks to compromised websites.\r\nMalware infections: Kimsuky has been observed using various types of malware, including remote access\r\ntrojans (RATs), backdoors, and wiper malware.\r\nSupply chain attacks: The group has been known to compromise legitimate software or websites to\r\ndistribute malware to a wider audience.\r\nLateral movement: Once the group has compromised a target, they use techniques such as network\r\nscanning, password cracking, and privilege escalation to move laterally within the victim’s network.\r\nData exfiltration: Kimsuky has been observed using various methods to steal data from its targets,\r\nincluding command-and-control servers, cloud storage services, and removable media.\r\nIn October 2022, Kimsuky was observed using mobile malware to target Android devices. Researchers gave the\r\nmalicious APKs the names FastFire, FastViewer, and FastSpy by including the word Fast in the package name and\r\ndescribing each one’s characteristics. This group has been conducting constant attacks on mobile devices to steal\r\nthe target’s information. Their sophisticated technique is Firebase, a standard service employed as the C\u0026C server\r\nin FastFire. Furthermore, some attempts are being made to avoid detection by modifying Androspy, an open-source RAT. Sophisticated attack vectors, similar to FastViewer, are utilized to attack specified targets, and\r\nexisting open sources are being leveraged to produce high-performance variations such as FastSpy. FastViewer\r\nand FastSpy were employed to attack South Koreans and all three APKs. The mobile targeting approach of the\r\nKimsuky group is becoming more advanced, thus it is important to be cautious about sophisticated attacks aimed\r\nat Android smartphones or devices.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/\r\nPage 1 of 2\n\nIn May 2023, the Kimsuky group was observed using a new version of its reconnaissance malware, called\r\nReconShark (an evolution of the threat actor’s BabyShark malware toolset), in a global cyberespionage campaign.\r\nThe malware is designed to gather information on targeted systems and exfiltrate that data back to the attackers. It\r\nis believed that the group uses this information to gain access to sensitive networks and steal valuable intellectual\r\nproperty.\r\nImpact\r\nData Theft and Espionage\r\nSensitive Data Exposure\r\nIndicators of Compromise\r\nDomain Name\r\nlfpa.website\r\nMD5\r\n97ba3c7b95aac463c4c561c5f940bbf8\r\nSHA-256\r\n35ddb63c0729a7e3019c026865ea195607a51943d8867607a26c006f0df6e594\r\nSHA-1\r\n13c2c93022576a173226f10e35c64c83b495f868\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security\r\ncontrols.\r\nEmails from unknown senders should always be treated with caution.\r\nNever trust or open links and attachments received from unknown sources/senders.\r\nIt is also recommended that individuals and organizations use secure and encrypted communication\r\nchannels, such as VPNs and encrypted email when transmitting sensitive information.\r\nAdditionally, the use of multi-factor authentication can help to reduce the risk of sensitive information\r\nbeing stolen by attackers.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/"
	],
	"report_names": [
		"rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c1d7e0ef17c685e48f4cd36f12abb92a0f19025.pdf",
		"text": "https://archive.orkl.eu/9c1d7e0ef17c685e48f4cd36f12abb92a0f19025.txt",
		"img": "https://archive.orkl.eu/9c1d7e0ef17c685e48f4cd36f12abb92a0f19025.jpg"
	}
}