{ "id": "c5434f60-440f-4725-8705-d37524328f75", "created_at": "2026-04-06T00:22:15.473257Z", "updated_at": "2026-04-10T03:37:40.851792Z", "deleted_at": null, "sha1_hash": "df42109c6edfd59fdad801858b48e8be8cc7622b", "title": "North Korean state hackers target retired diplomats and military officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 648113, "plain_text": "North Korean state hackers target retired diplomats and military\r\nofficials\r\nBy Written by Catalin Cimpanu, ContributorContributor Aug. 28, 2019 at 5:53 a.m. PT\r\nArchived: 2026-04-05 15:46:14 UTC\r\nSee als\r\nIn what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting\r\nretired South Korean diplomats, government, and military officials.\r\nTargets of this recent campaign include former ambassadors, military generals, and retired members of South\r\nKorea's Foreign Ministry and Unification Ministry.\r\nThe attacks occurred between mid-July and mid-August, and targeted officials' Gmail and Naver email accounts,\r\nSimon Choi, Founder of IssueMakersLab, told ZDNet in an interview this week.\r\nAt the technical level, the attacks were basic spear-phishing attempts. North Korean hackers sent emails which\r\nredirected victims to fake login pages, where attackers would log victims' account credentials.\r\nRetired officials are an easier target\r\n\"Retired people are engaged in government advisory activities, and they maintain ties with incumbent government\r\nofficials,\" Choi told ZDNet.\r\nThe South Korean cyber-security expert suspects hackers are then using access to these accounts to gather\r\ninformation from retired officials or launch attacks against incumbents.\r\nhttps://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/\r\nPage 1 of 2\n\nChoi said targeting retired officials is a smart decision, as they tend to be more vulnerable then officials still in\r\noffice, who benefit from improved cyber-security protections and security alerts about ongoing attacks.\r\nThe IssueMakersLab founder couldn't tell if the hackers were successful in compromising any email accounts, but\r\nChoi was able to track down their origin.\r\nAccording to the security researcher, the attacks have been carried out by Kimsuky, a well-known political cyber-espionage group linked to North Korea.\r\nThe group, also known as Kimsuki or Velvet Chollima, has been in operation since 2011 and was first detailed in a\r\nKaspersky report back in 2013.\r\nAccording to a threat group encyclopedia compiled by Thailand's CERT team, the group's historical and primary\r\ntargets have consisted of various South Korean government, nuclear power plants, and military operations.\r\nIn the past two years, the group also expanded some of its operations to include foreign targets, such as academic\r\ninstitutions (by utilizing a Chrome extension), foreign affair ministries, and US think tanks.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/\r\nhttps://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/" ], "report_names": [ "north-korean-state-hackers-target-retired-diplomats-and-military-officials" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434935, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df42109c6edfd59fdad801858b48e8be8cc7622b.pdf", "text": "https://archive.orkl.eu/df42109c6edfd59fdad801858b48e8be8cc7622b.txt", "img": "https://archive.orkl.eu/df42109c6edfd59fdad801858b48e8be8cc7622b.jpg" } }