{ "id": "e09ec81e-6b36-4fb5-9308-41dd74d779e6", "created_at": "2026-04-06T00:13:05.098219Z", "updated_at": "2026-04-10T03:37:40.891522Z", "deleted_at": null, "sha1_hash": "c2ca2a64788473881893fb6dcedc72df4a567794", "title": "Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1358970, "plain_text": "Kimsuky Evolves Reconnaissance Capabilities in New Global\r\nCampaign\r\nBy Tom Hegel\r\nPublished: 2023-05-04 · Archived: 2026-04-05 15:54:42 UTC\r\nBy Tom Hegel and Aleksandar Milenkoski\r\nExecutive Summary\r\nSentinelLABS has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has\r\na long history of targeting organizations across Asia, North America, and Europe.\r\nOngoing campaigns use a new malware component we call ReconShark, which is actively delivered to\r\nspecifically targeted individuals through spear-phishing emails, OneDrive links leading to document\r\ndownloads, and the execution of malicious macros.\r\nReconShark functions as a reconnaissance tool with unique execution instructions and server\r\ncommunication methods. Recent activity has been linked to a wider set of activity we confidently attribute\r\nto North Korea.\r\nBackground\r\nKimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across\r\nthe world. Current understanding of the group indicates they are primarily assigned to intelligence collection and\r\nespionage operations in support of the North Korean government since at least 2012. In 2018 the group was\r\nobserved deploying a malware family dubbed BabyShark, and our latest observations indicate the group has\r\nevolved the malware with an expanded reconnaissance capability – we refer to this BabyShark component as\r\nReconShark.\r\nTargeted Organizations\r\nHistorically, Kimsuky targets have been located across countries in North America, Asia, and Europe. In the\r\ngroups latest campaigns, they continue their global targeting themed around various ongoing geopolitical topics.\r\nFor example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea,\r\nrelevant to the ongoing war between Russia and Ukraine.\r\nIn a recent campaign Kimsuky targeted the staff of Korea Risk Group (KRG), the information and analysis firm\r\nspecializing in matters directly and indirectly impacting the Democratic People’s Republic of Korea (DPRK). We\r\napplaud KRG’s willingness to publicly share our analysis of attacks against them so the wider cybersecurity\r\ncommunity can use this intelligence for expanded understanding of the Kimsuky threat actor and their own\r\nhunting and detection efforts. Our assessment is that the same campaign has been used to continue targeting other\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 1 of 9\n\norganizations and individuals in at least the United States, Europe, and Asia, including think tanks, research\r\nuniversities, and government entities.\r\nInitial Access Targeting\r\nFor the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails. Notably,\r\nthe spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the\r\nlikelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing\r\nlegitimate to unsuspecting users. Notably, the targeted emails, which contain links to download malicious\r\ndocuments, and the malicious documents themselves, abuse the names of real individuals whose expertise is\r\nrelevant to the lure subject such as Political Scientists.\r\nIn the malicious emails, Kimsuky entices the target to open a link to download a password-protected document.\r\nMost recently, they made use of Microsoft OneDrive to host the malicious document for download. For example,\r\nas used against KRG, the lure email contained the OneDrive shared file link:\r\n1drv[.]ms/u/s!AvPucizxIXoqedcUKN647svN3QM?e=K6N1gT\r\nThe file downloaded is a password protected .doc file named “Research Proposal-Haowen Song.doc” (SHA1:\r\n86a025e282495584eabece67e4e2a43dca28e505 ) which contains a malicious macro (SHA1:\r\nc8f54cb73c240a1904030eb36bb2baa7db6aeb01 )\r\nMalicious Document, themed to DPRK / China\r\nReconShark: A New BabyShark Reconnaissance Variant\r\nThe lure documents Kimsuky distributes contain Microsoft Office macros that activate on document close. Based\r\non overlaps in file naming conventions, used malware staging techniques, and code format, we assess that the\r\nmacros implement a newer variant of a reconnaissance capability of the Kimsuky’s BabyShark malware seen\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 2 of 9\n\ntargeting entities in the Korean peninsula towards the end of 2022. We refer to this BabyShark component as\r\nReconShark.\r\nThe ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and\r\nhardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that\r\nenables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and\r\nexploit platform weaknesses.\r\nInformation Exfiltration\r\nThe main responsibility of ReconShark is to exfiltrate information about the infected platform, such as running\r\nprocesses, information about the battery connected to the system, and deployed endpoint threat detection\r\nmechanisms.\r\nSimilar to previous BabyShark variants, ReconShark relies on Windows Management Instrumentation (WMI) to\r\nquery process and battery information.\r\nReconShark queries process and battery information\r\nReconShark checks for the presence of a broad set of processes associated with detection mechanisms, such as\r\nntrtscan.exe (Trend Micro OfficeScan), mbam.exe (Malwarebytes Anti-Malware), NortonSecurity.exe\r\n(Norton Security), and avpui.exe (Kaspersky Internet Security).\r\nEnumeration of deployed detection mechanisms\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 3 of 9\n\nIn contrast to previous BabyShark variants, ReconShark exfiltrates information without first storing it on the\r\nfilesystem – the malware stores the information it collects in string variables and then uploads them to the C2\r\nserver by issuing HTTP POST requests.\r\nReconShark exfiltrates information\r\nPayload Deployment\r\nIn addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are\r\nimplemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows\r\nDLL files. ReconShark decides what payloads to deploy depending on what detection mechanism processes run\r\non infected machines.\r\nSome ReconShark strings are encrypted using a relatively simple cipher to evade static detection mechanisms.\r\nThese strings are typically commands or scripts for downloading and/or executing payloads.\r\nA decrypted command\r\nReconShark deploys and executes payloads in different ways. For example, the malware can directly download a\r\npayload from the C2 server using the curl utility, but also use Windows Shortcut (LNK files) or Office\r\ntemplates for that purpose.\r\nReconShark edits Windows Shortcuts (LNK files) to the msedge.exe (Microsoft Edge), chrome.exe (Google\r\nChrome), outlook.exe (Office Outlook), whale.exe (Whale browser), and firefox.exe (Mozilla Firefox)\r\napplications. When executed, these LNK files start the linked legitimate applications and execute malicious code\r\nat the same time.\r\nFurther, ReconShark replaces the default  %AppData%\\Microsoft\\Templates\\Normal.dotm Office template, which\r\nopens whenever a user starts Microsoft Word, with a malicious Office template hosted at the C2 server. This\r\neffectively compromises the execution of Microsoft Word.\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 4 of 9\n\nReconShark edits LNK files (top) and deploys a malicious Normal.dotm Office template (bottom)\r\nThe payload staging ends with Windows Batch or VBS scripts that create the %AppData%\\1 file with a content of\r\nss or sss . These files may represent markers of a successful ReconShark execution.\r\nA third-stage ReconShark payload\r\nInfrastructure Analysis\r\nAll observed infrastructure in this campaign are hosted on a shared hosting server from NameCheap, whom we’ve\r\nalready notified of this malicious activity and recommended takedowns. Kimsuky operators continually made use\r\nof LiteSpeed Web Server (LSWS) for managing the malicious functionality.\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 5 of 9\n\nKimsuky LiteSpeed Web Server Portal\r\nPhishing emails have been observed sending from the yonsei[.]lol domain, while rfa[.]ink and\r\nmitmail[.]tech are used for command and control. The domain yonsei[.]lol has been active since December\r\n2022, with malicious activity occurring as recently as this week. rfa[.]ink has been actively used since early\r\nFebruary 2023, and mitmail[.]tech since mid January 2023. Kimsuky also made use of newshare[.]online as\r\na C2 server for a short time at the end of 2022.\r\nAs shown in the ReconShark macro example, beacons are made to the /bio/ directory of rfa[.]ink . During\r\nour analysis of the activity, the attacker made multiple attempts at renaming that directory, including\r\n/bio433ertgd12/ then later /bio234567890rtyui/ , and a day later returning back to /bio/ .\r\nThis may have been an attempt to hinder research efforts, or pause the intake of new victims for unknown reasons.\r\nThe IOC table below highlights each of the URL paths Kimsuky manages across each C2 domain and their\r\nspecific purpose according to the execution flow in the macro. These patterns match across domains, while the\r\ndirectory they are placed in often varies. Attempted navigation to some paths on C2 domains are configured to\r\nredirect visitors to the legitimate Microsoft website.\r\nAs with most malicious infrastructure linked to North Korean actors, we can quickly find links back to previous\r\nreporting or separate campaigns. For example, links can be found to the domains mainchksrh[.]com and com-change[.]info , with indications com-change was used in 2020-2022 credential phishing campaigns at these\r\nsubdomains:\r\naaaaawwqwdqkidoemsk.lives.com-change[.]info\r\naccounts.live.com-change[.]info\r\naccounts.lives.com-change[.]info\r\ncashsentinel.com-change[.]info\r\ncashsentinel.hotmail.com-change[.]info\r\ncashsentinel.hotrnail.com-change[.]info\r\ncashsentinel.live.com-change[.]info\r\ncashsentinel.lives.com-change[.]info\r\ncashsentinel.microsoft.com-change[.]info\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 6 of 9\n\ncashsentinel.naver.com-change[.]info\r\ncashsentinel.navers.com-change[.]info\r\ncashsentinel.navor.com-change[.]info\r\ncashsentinel.outlock.com-change[.]info\r\ncashsentinel.outlook.com-change[.]info\r\ncloud.navor.com-change[.]info\r\ndownmail.navor.com-change[.]info\r\ngmail.com-change[.]info\r\ngrnail.com-change[.]info\r\nhotmail.com-change[.]info\r\nhotrnail.com-change[.]info\r\nlive.com-change[.]info\r\nlives.com-change[.]info\r\nloges.lives.com-change[.]info\r\nloginsaa.gmail.com-change[.]info\r\nloginsaa.grnail.com-change[.]info\r\nlogmes.lives.com-change[.]info\r\nlogrns.lives.com-change[.]info\r\nlogws.lives.com-change[.]info\r\nmicrosoft.com-change[.]info\r\nmicrosoft.loginsaa.gmail.com-change[.]info\r\nmicrosoft.loginsaa.grnail.com-change[.]info\r\nnaver.com-change[.]info\r\nnaver.loginsaa.gmail.com-change[.]info\r\nnavers.com-change[.]info\r\nnavor.com-change[.]info\r\nnlds.navor.com-change[.]info\r\noutlock.com-change[.]info\r\noutlook.com-change[.]info\r\npaypal.com-change[.]info\r\npubliccloud.navor.com-change[.]info\r\nskjflkjsjflejlkjieiieieiei.lives.com-change[.]info\r\nConclusion\r\nThe ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the\r\nevolving nature of the North Korean threat landscape. Organizations and individuals need to be aware of the TTPs\r\nused by North Korea state-sponsored APTs and take necessary precautions to protect themselves against such\r\nattacks. The link between recent activity and a wider set of previously unknown activity attributed to North Korea\r\nunderscores the need for continued vigilance and collaboration.\r\nIndicators of Compromise\r\nIndicator Description\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 7 of 9\n\nyonsei[.]lol\r\nPhishing Email Sender\r\nDomain\r\nhttps[:]//rfa[.]ink/bio/r.php https[:]//mitmail.tech/gorgon/r.php C2 server endpoint.\r\nhttps[:]//rfa[.]ink/bio/t1.hta https[:]//mitmail[.]tech/gorgon/t1.hta\r\nReconShark payload:\r\nHTA script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=reg.gif https[:]//mitmail.tech/gorgon/ca.php?\r\nna=reg.gif\r\nReconShark payload:\r\nVBS script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=secur32.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=secur32.gif https[:]//newshare[.]online/lee/ca.php?na=secur32.gif\r\nReconShark payload:\r\nDLL file.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=dot_eset.gif\r\nhttps[:]//mitmail[.]tech/gorgon/ca.php?na=dot_eset.gif\r\nReconShark payload:\r\nOffice template.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=video.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=video.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=start2.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=start2.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=start4.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=start4.gif\r\nReconShark payload:\r\nVBS script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=start3.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=start3.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=videop.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=videop.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=start1.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=start1.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=vbs_esen.gif\r\nhttps[:]//mitmail[.]tech/gorgon/ca.php?na=vbs_esen.gif\r\nReconShark payload:\r\nVBS script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=start0.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=start0.gif\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink /bio/d.php?na=vbtmp\r\nReconShark payload:\r\nVBS script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=vbs.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=vbs.gif\r\nReconShark payload:\r\nVBS script.\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 8 of 9\n\nhttps[:]//rfa[.]ink/bio/d.php?na=battmp\r\nReconShark payload:\r\nWindows Batch script.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=dot_v3.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=dot_v3.gif\r\nReconShark payload:\r\nOffice template.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=dot_esen.gif\r\nhttps[:]//mitmail[.]tech/gorgon/ca.php?na=dot_esen.gif\r\nReconShark payload:\r\nOffice template.\r\nhttp[:]//rfa[.]ink/bio/ca.php?na=dot_avg.gif https[:]//mitmail[.]tech/gorgon/ca.php?\r\nna=dot_avg.gif\r\nReconShark payload:\r\nOffice template.\r\nhttps[:]//rfa[.]ink/bio/ca.php?na=dot_kasp.gif\r\nhttps[:]//mitmail[.]tech/gorgon/ca.php?na=dot_kasp.gif\r\nReconShark payload:\r\nOffice template.\r\n86a025e282495584eabece67e4e2a43dca28e505\r\nLure Doc Example –\r\nSHA1\r\nc8f54cb73c240a1904030eb36bb2baa7db6aeb01 Macro – SHA1\r\nSource: https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/" ], "report_names": [ "kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434385, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2ca2a64788473881893fb6dcedc72df4a567794.pdf", "text": "https://archive.orkl.eu/c2ca2a64788473881893fb6dcedc72df4a567794.txt", "img": "https://archive.orkl.eu/c2ca2a64788473881893fb6dcedc72df4a567794.jpg" } }