{ "id": "8ae34aac-860c-4ba3-9fbf-846e60682a61", "created_at": "2026-04-06T00:11:08.915001Z", "updated_at": "2026-04-10T03:37:41.070383Z", "deleted_at": null, "sha1_hash": "c156f8abf1bf45701c8278bcad86f33351c22bbf", "title": "Kimsuky (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72907, "plain_text": "Kimsuky (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:59:02 UTC\r\nThere is no description at this point.\r\n2025-07-25 ⋅ Aryaka Networks ⋅ Aditya K. Sood, varadharajan krishnasamy\r\nThe Operational Blueprint of Kimsuky APT for Cyber Espionage\r\nKimsuky 2024-12-10 ⋅ Hunt.io ⋅ Hunt.io\r\n“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure\r\nKimsuky 2023-05-22 ⋅ AhnLab ⋅ ASEC\r\nKimsuky Group Using Meterpreter to Attack Web Servers\r\nKimsuky Meterpreter 2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team\r\nUnraveling the Layers: Analysis of Kimsuky's Multi-Staged Cyberattack\r\nKimsuky 2022-08-26 ⋅ cocomelonc\r\nMalware development: persistence - part 9. Default file extension hijacking. Simple C++ example.\r\nKimsuky 2022-08-09 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nPivoting on a SharpExt to profile Kimusky panels for great good\r\nKimsuky 2022-08-02 ⋅ ASEC ⋅ ASEC Analysis Team\r\nWord File Provided as External Link When Replying to Attacker’s Email (Kimsuky)\r\nKimsuky 2022-04-20 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware development: persistence - part 1. Registry run keys. C++ example.\r\nAgent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky 2022-01-05 ⋅\r\nAhnLab ⋅ ASEC Analysis Team\r\nAnalysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)\r\nAppleseed Kimsuky PEBBLEDASH 2021-10-07 ⋅ S2W Inc. ⋅ Jaeki Kim, Kyoung-ju Kwak, Sojun Ryu\r\nOperation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?\r\nAppleseed Kimsuky 2021-08-23 ⋅ InQuest ⋅ Dmitry Melikov\r\nKimsuky Espionage Campaign\r\nKimsuky 2020-12-15 ⋅ ⋅ KISA ⋅ KISA\r\nOperation MUZABI\r\nKimsuky 2020-06-12 ⋅ ThreatConnect ⋅ ThreatConnect Research Team\r\nProbable Sandworm Infrastructure\r\nAvaddon Emotet Kimsuky 2020-03-10 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang\r\nKimsuky group: tracking the king of the spear phishing\r\nKimsuky MyDogs 2020-03-04 ⋅ MetaSwan's Lab ⋅ MetaSwan\r\nKimsuky group's resume impersonation malware\r\nKimsuky 2020-02-19 ⋅ Lexfo ⋅ Lexfo\r\nThe Lazarus Constellation A study on North Korean malware\r\nFastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky\r\nPage 1 of 2\n\nHermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT\r\nPowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor 2020-02-18 ⋅ PWC UK ⋅ Kris McConkey, Sveva\r\nVittoria Scenarelli\r\nTracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1\r\nKimsuky 2019-10-04 ⋅ Virus Bulletin ⋅ Jaeki Kim, Kyoung-ju Kwak, Min-Chang Jang\r\nKimsuky group: tracking the king of the spear-phishing\r\nKimsuky 2019-09-11 ⋅ Prevailion ⋅ Danny Adamitis, Elizabeth Wharton\r\nAutumn Aperture\r\nKimsuky 2019-09-11 ⋅ Danny Adamitis\r\nAutumn Aperture Report\r\nKimsuky 2019-06-10 ⋅ ⋅ ESTsecurity ⋅ Alyac\r\n[Special Report] APT Campaign 'Konni' \u0026 'Kimsuky' Organizations Found in Common\r\nKimsuky\r\n[TLP:WHITE] win_kimsuky_auto (20251219 | Detects win.kimsuky.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" ], "report_names": [ "win.kimsuky" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c156f8abf1bf45701c8278bcad86f33351c22bbf.pdf", "text": "https://archive.orkl.eu/c156f8abf1bf45701c8278bcad86f33351c22bbf.txt", "img": "https://archive.orkl.eu/c156f8abf1bf45701c8278bcad86f33351c22bbf.jpg" } }