{
	"id": "6953da91-aa8f-47d0-bcbc-63c823fa3e2b",
	"created_at": "2026-04-06T01:31:52.853715Z",
	"updated_at": "2026-04-10T03:37:40.764793Z",
	"deleted_at": null,
	"sha1_hash": "a8edf171df1c5a7c53a0812f9f2391c3dbfa890a",
	"title": "North Korean Kimsuky hackers exposed in alleged data breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2562453,
	"plain_text": "North Korean Kimsuky hackers exposed in alleged data breach\r\nBy Bill Toulas\r\nPublished: 2025-08-11 · Archived: 2026-04-06 00:23:52 UTC\r\nThe North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two\r\nhackers, who describe themselves as the opposite of Kimsuky's values, stole the group's data and leaked it publicly online.\r\nThe two hackers, named 'Saber' and 'cyb0rg,' cited ethical reasons for their actions, saying Kimsuky is \"hacking for all the\r\nwrong reasons,\" claiming they're driven by political agendas and follow regime orders instead of practicing the art of\r\nhacking independently.\r\n\"Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political\r\nagenda,\" reads the hackers' address to Kimsuky published in the latest issue of Phrack, which was distributed at the DEF\r\nCON 33 conference.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"You steal from others and favour your own. You value yourself above the others: You are morally perverted.\"\r\nThe hackers dumped a portion of Kimsuky's backend, exposing both their tooling and some of their stolen data that could\r\nprovide insight into unknown campaigns and undocumented compromises.\r\nThe 8.9GB dump currently hosted on the 'Distributed Denial of Secrets'' website contains, among others:\r\nPhishing logs with multiple dcc.mil.kr (Defense Counterintelligence Command) email accounts.\r\nOther targeted domains: spo.go.kr, korea.kr, daum.net, kakao.com, naver.com.\r\n.7z archive containing the complete source code of South Korea's Ministry of Foreign Affairs email platform\r\n(\"Kebi\"), including webmail, admin, and archive modules.\r\nReferences to South Korean citizen certificates and curated lists of university professors.\r\nPHP \"Generator\" toolkit for building phishing sites with detection evasion and redirection tricks.\r\nLive phishing kits.\r\nUnknown binary archives (voS9AyMZ.tar.gz, Black.x64.tar.gz) and executables (payload.bin, payload_test.bin,\r\ns.x64.bin) not flagged in VirusTotal.\r\nCobalt Strike loaders, reverse shells, and Onnara proxy modules found in VMware drag-and-drop cache.\r\nChrome history and configs linking to suspicious GitHub accounts (wwh1004.github.io, etc.), VPN purchases\r\n(PureVPN, ZoogVPN) via Google Pay, and frequent use of hacking forums (freebuf.com, xaker.ru).\r\nGoogle Translate use for Chinese error messages and visits to Taiwan government and military sites.\r\nBash history with SSH connections to internal systems.\r\nThe hackers note that some of the above are already known or previously documented, at least partially.\r\nHowever, the dump gives a new dimension to the data and provides interlinking between Kimsuky's tools and activities,\r\nexposing and effectively \"burning\" the APT's infrastructure and methods.\r\nBleepingComputer has contacted various security researchers to confirm the veracity of the leaked documents and its value\r\nand will update the story if we receive a response.\r\nWhile the breach will likely not have long-term impact on Kimsuky's operations, it could lead to operational difficulties for\r\nKimsuky and disruptions to ongoing campaigns.\r\nThe latest issue of Phrack (#72) is currently only available in a limited physical copy, but the online version should be ready\r\nfor people to read for free in the following days from here.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach/"
	],
	"report_names": [
		"north-korean-kimsuky-hackers-exposed-in-alleged-data-breach"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439112,
	"ts_updated_at": 1775792260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8edf171df1c5a7c53a0812f9f2391c3dbfa890a.pdf",
		"text": "https://archive.orkl.eu/a8edf171df1c5a7c53a0812f9f2391c3dbfa890a.txt",
		"img": "https://archive.orkl.eu/a8edf171df1c5a7c53a0812f9f2391c3dbfa890a.jpg"
	}
}