{ "id": "fd6a6216-577a-4e14-909b-0b87b9eabe58", "created_at": "2026-04-06T00:14:11.738046Z", "updated_at": "2026-04-10T03:37:40.899006Z", "deleted_at": null, "sha1_hash": "d3167a12f9d41bc8c43c8037c9d368de2302f72e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51650, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:11:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KGH_SPY\n Tool: KGH_SPY\nNames\nKGH_SPY\nKGH Spyware Suite\nCategory Malware\nType Backdoor, Info stealer, Keylogger\nDescription\n(Cybereason) During our analysis, Cybereason Nocturnus discovered a new malware\nsuite dubbed “KGH” which contains several modules used as spyware. The name\n“KGH” is derived from the PDB path and internal names found in the malware samples.\nA possible link to North Korean attacks referencing the name “KGH” was mentioned in\n2017 in a research by Ahnlab, however it is unclear whether it is related to the same\nmalware authors.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool KGH_SPY\nChanged Name Country Observed\nAPT groups\n Kimsuky, Velvet Chollima 2012-Aug 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1603714e-0992-4188-bbc9-5a506daf83e7\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1603714e-0992-4188-bbc9-5a506daf83e7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1603714e-0992-4188-bbc9-5a506daf83e7\r\nPage 2 of 2\n\nAPT groups Kimsuky, Velvet Chollima 2012-Aug 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1603714e-0992-4188-bbc9-5a506daf83e7" ], "report_names": [ "listgroups.cgi?u=1603714e-0992-4188-bbc9-5a506daf83e7" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434451, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3167a12f9d41bc8c43c8037c9d368de2302f72e.pdf", "text": "https://archive.orkl.eu/d3167a12f9d41bc8c43c8037c9d368de2302f72e.txt", "img": "https://archive.orkl.eu/d3167a12f9d41bc8c43c8037c9d368de2302f72e.jpg" } }