{ "id": "cd7b4f22-c85d-4c55-b324-348a550f0e54", "created_at": "2026-04-06T00:17:30.930743Z", "updated_at": "2026-04-10T03:37:40.743048Z", "deleted_at": null, "sha1_hash": "bcbedbd41093a081a75f4eb8d766fdda92d0496b", "title": "Kimsuky-linked hackers use similar tactics to attack Russia and South Korea, researchers say", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74618, "plain_text": "Kimsuky-linked hackers use similar tactics to attack Russia and\r\nSouth Korea, researchers say\r\nBy Daryna Antoniuk\r\nPublished: 2024-09-09 · Archived: 2026-04-05 14:49:59 UTC\r\nThe threat actor known as Konni, which has been previously linked to the North Korean state-sponsored group\r\nKimsuky, is intensifying its attacks on South Korea and Russia, according to a recent report.\r\nThe group employs similar tactics, techniques and procedures in its attacks on both Moscow and Seoul, said\r\nresearchers at the South Korean cybersecurity company Genians. The primary goal of these attacks is cyber\r\nespionage.\r\nSince at least 2021, Konni has targeted the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia\r\nand several unnamed South Korean enterprises, including a tax law firm.\r\nFor example, in January 2022, Konni targeted Russian embassy diplomats during the winter holidays with emails\r\ncarrying New Year greetings in an attempt to infect them with malware. According to Genians, the group’s activity\r\ndates back to 2014 and continues to this day.\r\nThe suspected North Korean hackers use phishing emails to gain initial access to targeted systems, often using\r\ntopics such as taxes, scholarships and finance as lures in the malicious emails. Konni’s custom remote access\r\ntrojan grants the attackers full control over the infected systems.\r\nIn attacks on both Russia and South Korea, the group uses similar techniques to connect infected devices to\r\nhacker-controlled command servers (C2). In both cases, malicious modules are installed on victims' devices\r\nthrough executable files, and the process of connecting to the C2 server is carried out through internal commands,\r\naccording to Genians.\r\n“Threat actors have been using similar patterns and attack scenarios for years,” the researchers said. “However,\r\nthey are also combining anomalous attack tactics to increase their success rate.”\r\nResearchers noted that paying attention to the similarities between the group’s attacks in different countries could\r\nhelp security specialists better protect their entities and more accurately attribute the attacks.\r\nhttps://therecord.media/kimsuky-north-korea-hackers-targeting-russia-south-korea\r\nPage 1 of 2\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/kimsuky-north-korea-hackers-targeting-russia-south-korea\r\nhttps://therecord.media/kimsuky-north-korea-hackers-targeting-russia-south-korea\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/kimsuky-north-korea-hackers-targeting-russia-south-korea" ], "report_names": [ "kimsuky-north-korea-hackers-targeting-russia-south-korea" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434650, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcbedbd41093a081a75f4eb8d766fdda92d0496b.pdf", "text": "https://archive.orkl.eu/bcbedbd41093a081a75f4eb8d766fdda92d0496b.txt", "img": "https://archive.orkl.eu/bcbedbd41093a081a75f4eb8d766fdda92d0496b.jpg" } }