{ "id": "ff6ded5e-c793-4d93-a3a3-465aafefcfbc", "created_at": "2026-04-06T00:14:37.943172Z", "updated_at": "2026-04-10T03:37:41.134592Z", "deleted_at": null, "sha1_hash": "caaade8e958f475a8c96eb0435e58fd1d62af489", "title": "North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1275691, "plain_text": "North Korean Kimsuky Hackers Use Russian Email Addresses for\r\nCredential Theft Attacks\r\nBy The Hacker News\r\nPublished: 2024-12-03 ยท Archived: 2026-04-05 15:59:04 UTC\r\nThe North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that\r\ninvolve sending email messages that originate from Russian sender addresses to ultimately conduct credential\r\ntheft.\r\n\"Phishing emails were sent mainly through email services in Japan and Korea until early September,\" South\r\nKorean cybersecurity company Genians said. \"Then, from mid-September, some phishing emails disguised as if\r\nthey were sent from Russia were observed.\"\r\nThis entails the abuse of VK's Mail.ru email service, which supports five different alias domains, including\r\nmail.ru, internet.ru, bk.ru, inbox.ru, and list.ru.\r\nGenians said it has observed the Kimsuky actors leveraging all the aforementioned sender domains for phishing\r\ncampaigns that masquerade as financial institutions and internet portals like Naver.\r\nhttps://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html\r\nPage 1 of 3\n\nOther phishing attacks have entailed sending messages that mimic Naver's MYBOX cloud storage service and aim\r\nto trick users into clicking on links by inducing a false sense of urgency that malicious files had been detected in\r\ntheir accounts and that they need to delete them.\r\nVariants of MYBOX-themed phishing emails have been recorded since late April 2024, with the early waves\r\nemploying Japanese, South Korea, and U.S. domains for sender addresses.\r\nhttps://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html\r\nPage 2 of 3\n\nWhile these messages were ostensibly sent from domains such as \"mmbox[.]ru\" and \"ncloud[.]ru,\" further analysis\r\nhas revealed that the threat actor leveraged a compromised email server belonging to Evangelia University\r\n(evangelia[.]edu) to send the messages using a PHP-based mailer service called Star.\r\nIt's worth noting that Kimsuky's use of legitimate email tools like PHPMailer and Star was previously documented\r\nby enterprise security firm Proofpoint in November 2021.\r\nThe end goal of these attacks, per Genians, is to carry out credential theft, which could then be used to hijack\r\nvictim accounts and use them to launch follow-on attacks against other employees or acquaintances.\r\nOver the years, Kimsuky has proven to be adept at conducting email-oriented social engineering campaigns,\r\nemploying techniques to spoof email senders to appear as if they are from trusted parties, thus evading security\r\nchecks.\r\nEarlier this year, the U.S. government called out the cyber actor for exploiting \"improperly configured DNS\r\nDomain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social\r\nengineering attempts.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html\r\nhttps://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html" ], "report_names": [ "north-korean-kimsuky-hackers-use.html" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434477, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/caaade8e958f475a8c96eb0435e58fd1d62af489.pdf", "text": "https://archive.orkl.eu/caaade8e958f475a8c96eb0435e58fd1d62af489.txt", "img": "https://archive.orkl.eu/caaade8e958f475a8c96eb0435e58fd1d62af489.jpg" } }