{ "id": "d30d8bdc-5f87-4fc2-a690-9e7443d96c97", "created_at": "2026-04-06T00:18:53.547948Z", "updated_at": "2026-04-10T03:37:40.83894Z", "deleted_at": null, "sha1_hash": "b3b10833fa719fe24095c658906da3a7fd155c24", "title": "Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88191, "plain_text": "Suspected North Korean Cyber Espionage Campaign Targets\r\nMultiple Foreign Ministries and Think Tanks\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-02 10:47:31 UTC\r\nrevised on August 22, 2019\r\nAnomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the\r\nFrench government. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign\r\ntargeting three different countries’ Ministry of Foreign Affairs agencies. Also targeted were four research-oriented\r\norganisations including: Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank, and five different\r\nemail service providers. There is an overlap of infrastructure with known North Korean actors, including the same\r\ndomain and shared hosting provider. Because of the links between one of the victims and their work on North\r\nKorean sanctions, we expect to see malicious actors continue to target the international staff involved in a similar\r\nofficial capacity.\r\nPrior to the release of this blog post, we have submitted the phishing sites to Google Safebrowsing and Microsoft\r\nfor blacklist consideration.\r\nTargeting of French Ministry of Europe and Foreign Affairs\r\nOn August 9, 2019, The Anomali Threat Research Team discovered a web page impersonating the French\r\nMinistry for Europe and Foreign Affairs (MEAE) online portal. The malicious host\r\n“portalis.diplomatie.gouv.fr.doc-view[.]work”[1] bears a strong resemblance to the legitimate site\r\n“diplomatie.gouv.fr”. When navigating to the suspicious subdomain, users are displayed with a phishing site\r\nmimicking the MEAE portal. According to the legitimate site, access is restricted to “MEAE agents”. The\r\nlegitimate website for “France Diplomatie”, describes MEAE agents as potentially working for one of 12 agencies\r\nfor the “Ministry for Europe and Foreign Affairs”. If an official from any of these agencies is able to login to the\r\nportal, then it is possible that all twelve of these agencies are potential victims, which includes:\r\nAgence Française de Développement (AFD)\r\nAgency for French Education Abroad (AEFE)\r\nAgricultural Research Centre for International Development (CIRAD)\r\nAtout France\r\nBusiness France\r\nCampus France and France Médias Monde\r\nCanal France International (CFI)\r\nExpertise France\r\nFrance Volontaires\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 1 of 10\n\nInstitut Français\r\nResearch Institute for Development (IRD)\r\nFaux login page for the portal of the Ministry of Europe and Foreign Affairs (MEAE)\r\nFigure 1 - Faux login page for the portal of the Ministry of Europe and Foreign Affairs (MEAE)\r\nThe screenshot above shows the webpage designed to look like the MEAE portal. The screenshot shows a session\r\ntimeout popup window for the victim who has attempted to login. In this instance, although not visibly clear, the\r\npage source shows the intended victim. This person was most likely targeted in a phishing campaign.\r\nPage source code for MEAE portal and victim email address\r\nFigure 2 - Page source code for MEAE portal and victim email address\r\nThe email in the page source code is for an employee of the target organisation. According to delegefrance[.]org,\r\nthe email address in the page source code belongs to a senior official assigned to the French Mission Team to the\r\nUnited Nations in New York. Moreover, this French diplomat works in the “Disarmament, Non-Proliferation,\r\nSanctions committees: Iran, North Korea, 1st Committee”.[2]\r\nThreat Infrastructure Analysis\r\nThe malicious URL “portalis.diplomatie.gouv.fr.doc-view[.]work” is mimicking a diplomatic portal on the\r\nmalicious domain “doc-view[.]work”. This domain is hosted on the IP 157.7.184[.]15 and has several subdomains\r\nthat appear to be designed to impersonate email providers. The IP address also appears to have several similar\r\ndomains and URLs that share some patterns in naming conventions.\r\nSimilar named domains hosted on the same IP address\r\nFigure 3 - Similar named domains hosted on the same IP address\r\nThe IP address 157.7.184[.]15 is hosted by the Asia Pacific Network Information Centre (APNIC). There are\r\nmultiple unrelated domains hosted on the same IP address because the IP address is shared. The IP is based in\r\nJapan and registered under the Japan Network Information Centre located in Tokyo.\r\nThe most recently used domains on this IP address that share the same naming conventions are the following four\r\ndomains:\r\nDomain 1 - doc-view[.]work\r\nThe domain doc-view[.]work is hosted on IP 157.7.184[.]15. The domain has 32 subdomains.[3] Most of the\r\nsubdomains appear to be spoofing email service providers Yahoo, Outlook, Ymail and Google services. Both the\r\ndomain and some of the subdomains appear to have been set up to look like they will allow the victim to access\r\ndocuments; the use of Microsoft OneDrive for example.\r\nAn overview of high profile phishing sites on domain doc-view[.]work\r\nFigure 4 - An overview of high profile phishing sites on domain doc-view[.]work\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 2 of 10\n\nFigure 4 above depicts the most interesting subdomains created for the domain doc-view[.]work to include two\r\nsubdomains set up to impersonate the MEAE login. We also identified a subdomain “securemail.stanford.doc-view[.]work” created by the malicious actor to mimic Stanford University’s Secure Email service.[4]\r\n According to\r\nStanford University IT Department’s website, the Secure Email service is designed for faculty and staff who need\r\nto use email to send moderate or high risk data. Of note, Stanford University hosts the Centre for International\r\nSecurity and Cooperation (CISAC) and the Asia Pacific Research Centre (APARC) - both of which are part of the\r\nFreeman Spogli Institute for International Studies. These research centres host a number of talks and deliver\r\nresearch on a variety of international issues including ongoing developments in North Korea.\r\nScreenshot of Stanford University’s Secure Email-themed phishing site securemail.stanford.doc-view[.]work\r\nFigure 5 - Screenshot of Stanford University’s Secure Email-themed phishing site securemail.stanford.doc-view[.]work\r\nThe submitted URL in URLScan.io, an online service for scanning and analyzing websites, shows the potential\r\nvictim in the screenshot available, confirms the target institute as being Stanford University. A search in the\r\nStanford Directory did not reveal anyone associated with this email address at Stanford University.\r\nWhen investigating SSL/TLS certificates issued for the domain doc-view[.]work, there were five other fraudulent\r\nsubdomains spoofing two think tanks, two foreign government agencies, and a United Nations organization.\r\nCongressional Research Service, a United States-based think tank\r\nMinistry of Foreign and European Affairs of the Slovak Republic\r\nMinistry of Foreign Affairs - Unknown country\r\nRoyal United Services Institute (RUSI), a United Kingdom-based think tank\r\nSouth African Department of International Relations and Cooperation\r\nUnited Nations delegation\r\nDomain 2. app-support[.]work\r\nThe domain app-support[.]work is hosted on the same IP address 157.7.184[.]15. The domain has a number of\r\nsubdomains that look like they are attempting to impersonate popular email providers such as Yahoo and Gmail.\r\nThe use of the domain “app-support” suggests the campaigns associated with this domain may be targeting smart-phones or Apple devices, because of the use of the word “app”.\r\nAn overview of phishing sites associated with the domain app-support[.]work\r\nFigure 6 - An overview of phishing sites associated with the domain app-support[.]work\r\nHigh profile targets in the above diagram include:\r\nSina - A Chinese technology company\r\nDomain 3. web-line[.]work\r\nThe domain web-line[.]work is hosted on the IP 157.7.184[.]15. The domain has a number of subdomains that\r\nappear to be mimicking well-known online services such as Google’s Gmail and Microsoft’s OneDrive.\r\nInterestingly, the domain owner also created a seemingly identical MEAE-themed subdomain\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 3 of 10\n\n“portalis.diplomatie.gouv.web-line[.]work” that presumably attempts to mimic the MEAE portal. At the time of\r\nthis report, the website was unresponsive; therefore, we were unable to obtain a screenshot of the page or analyze\r\nthe site’s source code. Due to the domain name and infrastructure similarities of the original discovery, we judge\r\nwith moderate confidence that the second subdomain was most likely created to target MEAE using the same\r\ntechniques discussed above.\r\nAn overview of phishing sites associated with the domain web-line[.]work\r\nFigure 7 - An overview of phishing sites associated with the domain web-line[.]work\r\nIn Figure 7, we highlight several high profile organizations targeted by the attackers. The following list reflects the\r\nmost interesting targets in the overview of subdomains:\r\nMail.fed.be - possible attempt to target the Federal government of Belgium\r\nMinistry of Europe and Foreign Affairs - France (MEAE)\r\nMinistry of Foreign Affairs (MOFA) - unknown country\r\nSina - a Chinese technology company\r\nThe Department of International Relations and Cooperation - The foreign ministry of the South African\r\ngovernment\r\nDomain 4. sub-state[.]work\r\nWhen investigating passive DNS results on the same IP address 157.7.184[.]15, the domain “sub-state[.]work”\r\nwas discovered. This domain has ten subdomains that follow the same naming conventions as the ones mentioned\r\nalready.\r\nAn overview of phishing sites hosted on domain sub-state[.]work\r\nFigure 8 - An overview of phishing sites hosted on domain sub-state[.]work\r\nIn Figure 8 it is possible to see subdomains impersonating the following organisations:\r\nAsahi News organisation - one of five major newspapers in Japan\r\nMinistry of Foreign Affairs - South Korea\r\nWho’s Behind These Attacks?\r\nThe IP address 157.7.184[.]15 is shared and therefore home to both legitimate and malicious activity. However,\r\nthere is an overlap in infrastructure in a recent North Korean campaign called “Smoke Screen” reported on by\r\nESTSecurity in April 2019[5]. The domain “bigwnet[.]com” was reportedly used as a command and control (C2)\r\nfor the Kimsuky Babyshark network trojan, which is also hosted on the same IP address. Kimsuky Babyshark\r\nnetwork trojan is associated with North Korea.\r\nAccording to DomainWatch, an online service that collects domain registrant information, there is a registrant\r\nemail address that appears to link a number of the aforementioned domains: ringken1983[at]gmail.com.[6]\r\nWhois information for the domain doc-view[.]work\r\nFigure 9 - Whois information for the domain doc-view[.]work\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 4 of 10\n\nDomainWatch also shows that the following domains are also registered with the same email address:\r\nDomains registered with the email address ringken1983[at]gmail[.]com\r\nFigure 10 - Domains registered with the email address ringken1983[at]gmail[.]com\r\nThere are two other registrant emails identified for two related domains; “web-line[.]work” and “drog-service[.]com”.\r\nDomains registered with email address dragon1988[at]india[.]com\r\nFigure 11 - Domains registered with email address dragon1988[at]india[.]com\r\nDomains registered with email address okonoki_masao[at]yahoo[.]co.jp\r\nFigure 12 - Domains registered with email address okonoki_masao[at]yahoo[.]co.jp\r\nThe domain “Dauum[.]net” appears to be mimicking the South Korean web portal, Daum, which is an email\r\nprovider among other services. In January 2019, North Korean actors were reported to have been targeting the\r\nDaum, Naver, and kakaoTalk services (all popular South Korean services), registering a number of similar-looking\r\ndomains.[7]\r\nConclusion\r\nMany of the organisations targeted in this campaign offer insight for strategic direction and goals of a particular\r\ncountry (South Korea for example). The targeting of foreign ministries for four different countries, and the\r\npersistent attempt to masquerade as email or online document services is most likely to gain access to the victim’s\r\nsensitive communications and/or information. The purpose of this campaign is likely to gain access to the\r\ninformation, but it is difficult to know exactly what the end goal is for the adversary. After gaining access to the\r\ninternal email service of an organisation, it is possible to compromise the organisation in many other ways. Whilst\r\nresearching this campaign, many of the domains were not active, although most were registered this year. It might\r\nbe that the adversary has been waiting to use the infrastructure for a future attack. There is an overlap with North\r\nKorean indicators in this research, and similar targeting to previous campaigns already reported.\r\nEndnotes\r\n[1]\r\n URLScan, “portalis.diplomatie.gouv.web-line[.]work,” urlscan.io, accessed August 9, 2019, submitted July 23,\r\n2019, https://urlscan.io/result/7e347bdc-8e0e-485b-93b2-6df2b919d768/.\r\n[2]\r\n The French Mission Team, “Permanent mission of France to the United Nations in New York,” Ministry of\r\nEurope and Foerign Affairs, accessed August 12, 2019, https://onu.delegfrance.org/The-French-Mission-Team-8786.\r\n[3]\r\n Censys, “doc-view[.]work,” Censys Certificate Search, accessed August 9, 2019, https://censys.io/certificates?\r\nq=%22doc-view.work%22.\r\n[4]\r\n Stanford University, “Email:Secure Email: Email for Moderate and High Risk Data,” accessed August 14,\r\n2019, published November 8, 2018, https://uit.stanford.edu/service/secureemail.\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 5 of 10\n\n[5]\r\n Alyac, “Kimsuky’s APT Campaign ‘Smoke Screen’ Revealed for Korea and US,” ESTsecurity, accessed\r\nAugust 14, 2019, published April 17, 2019, https://blog.alyac.co.kr/2243.\r\n[6]\r\n DomainWatch, “doc-view[.]work,” DomainWatch WhoIs, accessed August 12, 2019,\r\nhttps://domainwat.ch/whois/doc-view.work.\r\n[7]\r\n BRI, “#1267555: Konni Campaign Targetting Mobiles - Additional IOCs,” BRI Alert, accessed August 14,\r\n2019, published July 15, 2019, https://brica.de/alerts/alert/public/1267555/konni-campaign-targetting-mobiles-additional-iocs/.\r\nAppendix A - Indicators of Compromise\r\nThe table below represents the malicious infrastructure and basic description of each indicator of compromise\r\nobserved in the phishing campaign:\r\nIndicators of Compromise Description\r\n157.7.184[.]15 Shared hosting server with multiple suspicious and phishing sites\r\ndoc-view[.]work Malicious domain\r\nweb-line[.]work Malicious domain\r\napp-support[.]work Malicious domain\r\nlogin-confirm[.]work Malicious domain\r\nmember-service[.]work Malicious domain\r\nshort-line[.]work Malicious domain\r\nalone-service[.]work Malicious domain\r\nminner[.]work Malicious domain\r\ncom-main[.]work Malicious domain\r\nsub-state[.]work Malicious domain\r\ncheck-up[.]work Malicious domain\r\nportalis.diplomatie.gouv.web-line[.]workPhishing site mimicking the Ministry of Europe and Foriegn\r\nAffairs (MEAE) portal\r\naccount.googlie.com.doc-view[.]work Phishing site\r\ncrsreports.congress.doc-view[.]work Phishing site mimicking the Congressional Research Service\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 6 of 10\n\ndelegate.int.doc-view[.]work\r\nPhishing site likely to be mimicking the United Nations delegate\r\nlogin\r\ndrive.google.doc-view[.]work Phishing site\r\ndrive.storage.com.doc-view[.]work Phishing site\r\ndrives.google.doc-view[.]work Phishing site\r\nhostmaster.doc-view[.]work Phishing site\r\nlogin-history.doc-view[.]work Phishing site\r\nlogin-onedrive.doc-view[.]work Phishing site\r\nlogin.live.doc-view[.]work Phishing site\r\nlogin.outlook.doc-view[.]work Phishing site\r\nlogin.yahoo-sec.doc-view[.]work Phishing site\r\nlogin.yahoo.doc-view[.]work Phishing site\r\nlogin.ymail.doc-view[.]work Phishing site\r\nmail.doc-view[.]work Phishing site\r\nmail.mofa.gov.doc-view[.]work\r\nPhishing site mimicking the Ministry of Foriegn Affairs (MOFA) -\r\nunknown country\r\nmail.preview.doc-view[.]work Phishing site\r\nmail.sec.doc-view[.]work Phishing site\r\nmail.view.doc-view[.]work Phishing site\r\nmail.xmailgateway.doc-view[.]work Phishing site\r\nmyaccount.google.doc-view[.]work Phishing site\r\nmyaccount.protect.doc-view[.]work Phishing site\r\nmyaccount.setting.doc-view[.]work Phishing site\r\nmzv.sk.doc-view[.]work\r\nPhishing site mimicking the Ministry of Foreign and European\r\nAffairs of the Slovak Republic\r\none-drive.storage.doc-view[.]work Phishing site\r\nonedrive.com.doc-view[.]work Phishing site\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 7 of 10\n\nportalis.diplomatie.gouv.doc-view[.]work\r\nPhishing site mimicking the Ministry of Europe and Foriegn\r\nAffairs (MEAE) portal\r\nportalis.diplomatie.gouv.fr.doc-view[.]workPhishing site mimicking the Ministry of Europe and Foriegn\r\nAffairs (MEAE) portal\r\nrusi.org.doc-view[.]work Phishing site mimicking the UK think tank RUSI\r\nsecuremail.stanford.doc-view[.]work Phishing site mimicking Stanford University\r\nubmail.dirco.gov.doc-view[.]work\r\nPhishing site mimicking the Department of International Relations\r\nand Cooperation of the Foreign Ministry of the South African\r\ngovernment\r\nwww.str8-creative.com.doc-view[.]work\r\nPhishing site\r\nrive.storage.com.doc-view[.]work Phishing site\r\nlogin.yalnoo-sec.doc-view[.]work Phishing site\r\nlogin.onedrive-storage.doc-view[.]work\r\nPhishing site\r\ndavid.gizmodo.com.doc-view[.]work Phishing site\r\ndrive.storage.login-confirm[.]work Phishing site\r\nshare.doc.login-confirm[.]work Phishing site\r\naccounts.live.com.member-service[.]work\r\nPhishing site\r\naccounts.msn.com.member-service[.]work\r\nPhishing site\r\naccounts.outlooks.com.member-service[.]work\r\nPhishing site\r\nccounts.outlooks.com.member-service[.]work\r\nPhishing site\r\nedit.accounts.member-service[.]work Phishing site\r\nmaii.ocn-accounts.member-service[.]work\r\nPhishing site\r\nmail.ocn-accounts.member-service[.]work\r\nPhishing site\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 8 of 10\n\nlogin.outlook.short-line[.]work Phishing site\r\n1drv.ms.web-line[.]work Phishing site\r\ndrive.storage.com.web-line[.]work Phishing site\r\nhostingemail.digitalspace.web-line[.]work\r\nPhishing site\r\nlogin.live.web-line[.]work Phishing site\r\nmail.fed.be.web-line[.]work Phishing site\r\nmail.mofa.gov.web-line[.]work Phishing site\r\nmail.xmailgateway.web-line[.]work Phishing site\r\nportalis.diplomatie.gouv.web-line[.]work\r\nPhishing site\r\nubmail.dirco.gov.web-line[.]work Phishing site\r\nedit-accounts.ntt-ocn.alone-service[.]work\r\nPhishing site\r\nlogin-accounts.yahoojp.minner[.]work Phishing site\r\nlogin-accounts.yaoojp.minner[.]work Phishing site\r\nlogin.live.com-main[.]work Phishing site\r\nlogin.ymail.com-main[.]work Phishing site\r\nmail.mofa.go.kr.sub-state[.]work Phishing site\r\naccounts.ocn-setting.app-support[.]work\r\nPhishing site\r\nlogin-accounts.view.app-support[.]work\r\nPhishing site\r\nlogin.yahoo.app-support[.]work Phishing site\r\nloing-accounts.view.app-support[.]work\r\nPhishing site\r\nmyaccount.google-monitor.app-support[.]work\r\nPhishing site\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 9 of 10\n\nmyaccounts.google-set.app-support[.]work\r\nPhishing site\r\nvip-sina.com.cn.app-support[.]work Phishing site\r\naccounts.lives.com.check-up[.]work Phishing site\r\naccounts.msn.com.check-up[.]work Phishing site\r\naccounts.outlookes.check-up[.]work Phishing site\r\naccounts.outlooks.check-up[.]work Phishing site\r\nlh.yahoojp.check-up[.]work Phishing site\r\nmail.ocn-accounts.check-up[.]work Phishing site\r\nringken1983[at]gmail[.]com Adversary email address used to register domains\r\ndragon1988[at]india[.]com Adversary email address used to register domains\r\nokonoki_masao[at]yahoo[.]co[.]jp Adversary email address used to register domains\r\nFor more information, contact Joe Franscella: jfranscella@anomali.com\r\nSource: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks\r\n#When:14:00:00Z\r\nhttps://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z" ], "report_names": [ "suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3b10833fa719fe24095c658906da3a7fd155c24.pdf", "text": "https://archive.orkl.eu/b3b10833fa719fe24095c658906da3a7fd155c24.txt", "img": "https://archive.orkl.eu/b3b10833fa719fe24095c658906da3a7fd155c24.jpg" } }