{ "id": "80314528-e5db-4c00-a86b-b5ea54396fa9", "created_at": "2026-04-06T00:10:03.400753Z", "updated_at": "2026-04-10T03:37:40.90477Z", "deleted_at": null, "sha1_hash": "e5e33736f1937d64cb7f137c0bf19c01456836e3", "title": "How North Korean APT Kimsuky Is Evolving Its Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76984, "plain_text": "How North Korean APT Kimsuky Is Evolving Its Tactics\r\nBy Kelly Sheridan\r\nPublished: 2021-05-07 ยท Archived: 2026-04-05 19:46:20 UTC\r\nSara Peters contributed to this reporting.\r\nNorth Korean APT group Kimsuky is adopting new tactics, techniques, and procedures in global attacks, report\r\nresearchers whose findings indicate the group's operations have sufficient differences to warrant splitting it into\r\ntwo smaller subgroups: CloudDragon and KimDragon.\r\nKimsuky is not a new group but has adopted new methods to support its mission of collecting intelligence. A US\r\ngovernment alert issued in October 2020 reported the group had been operating since 2012 and often employs\r\nsocial engineering, spear-phishing, and watering hole attacks to collect information from targets primarily located\r\nin South Korea, Japan, and the US.\r\nA team of researchers observing North Korean APT groups have collected evidence suggesting there are several\r\nsignificant distinctions in the way different facets of Kimsuky operate. Today at the virtual Black Hat Asia event,\r\nJhih-Lin Kuo and Zih-Cing Liao, both senior threat intelligence researchers at TeamT5, divided the group into two\r\nsmaller groups based on their targets, malware, and infrastructure, and shared details on how the groups'\r\noperations have evolved.\r\nThe Kimsuky group that Kaspersky disclosed in 2013 has been dubbed KimDragon by the team; the more\r\npublicly known Kimsuky seen in news headlines and vendor reports is CloudDragon.\r\n\"There are still some things they share together, but there are differences as well,\" said Kuo in today's briefing.\r\nBoth focus on South Korea as their primary target, in addition to the US. Both attack government agencies and\r\neducational targets such as universities and research centers.\r\n\"However, when we look back to [the] malware, they're using totally different tools,\" she continued. CloudDragon\r\nrelies on malware including TroiBomb, RoastMe, JamBog (AppleSeed), BabyShark, and DongMulRAT\r\n(WildCommand). KimDragon uses malware variants: Lovexxx (GoldDragon variant), JinhoSpy (NavRAT\r\nvariant), BoboStealer (FlowerPower), and MireScript.\r\nTheir targets also varied. CloudDragon had a broader geographical footprint, branching out to attack Japan and\r\nseveral European Union countries, while KimDragon had only expanded to India. CloudDragon also had a\r\nbroader scope of industry targets, which included financial institutions, energy companies, high-tech businesses,\r\nand aerospace and defense industries.\r\n\"Although all the North Korean APTs are attacking South Korea, they still have differences in other countries\r\nthey're also interested in, and also the target industry can be slightly different as well,\" Kuo said in an interview\r\nwith Dark Reading.\r\nhttps://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956\r\nPage 1 of 3\n\nKuo and Liao primarily focused their talk on CloudDragon, which they have observed adopting supply chain\r\nattacks, cross-platform attacks, and new modifications to its phishing campaigns.\r\n\"A supply chain attack is not easy work and can always make a big impact,\" said Liao of how this underscores the\r\ngroup's evolution.\r\nNew Attack Techniques\r\nBetween August and October 2020, CloudDragon launched a supply chain attack against a firm in the Korean\r\ncryptocurrency industry. Attackers went after a hardware wallet surface, which typically specializes in security but\r\nneeds software to assist with blockchain on the Internet. Attackers created a malicious version of its management\r\nsoftware and deployed it to the official website.\r\nThis attack targeted Windows users, though Liao noted CloudDragon also targets mobile devices. The group\r\ndeployed a malicious app to Google Play; if a victim launches the app and has auto-update enabled, the malware\r\nwill be downloaded without notice and upload the user's data to a command-and-control server belonging to the\r\nattackers. Researchers believe the group will strengthen its infrastructure using virtual currency obtained in the\r\nattack.\r\n\"Smartphones have become a new target of APT groups, and CloudDragon is no exception,\" said Kuo, noting how\r\nthe attackers are expanding more of their attacks from desktop to mobile. Some of the malware researchers saw on\r\nAndroid devices had the ability to upload files, execute shell commands, send SMS messages, and update itself,\r\nshe noted. In the future, the researchers predict attackers will continue to add more powerful functions, such as the\r\nability to take screenshots, conduct video and audio recording, and track a victim's GPS location.\r\nTo illustrate this, she pointed to a screenshot of code from a plugin observed in the JamBog malware that indicates\r\nattackers are pursuing the ability to record audio of target devices. This, combined with the transition to mobile\r\nmalware, indicates their targets could be accompanied by the attackers 24/7.\r\nThe researchers also observed CloudDragon adopting an interesting, new phishing technique in which attackers\r\nautomatically fill in phishing websites with content from the legitimate website they are trying to mimic. When a\r\nvictim opens a malicious link, the phishing site simultaneously sends a request to the real website, fetches the\r\ncontent, modifies it so it's malicious, and shows the result on the phishing site.\r\n\"The user cannot distinguish whether they are using the wrong website,\" said Kuo. This \"ProxyMirror\" attack\r\nenables attackers to auto-update content on their malicious website, reducing the amount of effort they have to\r\nspend on developing it.\r\nAbout the Author\r\nhttps://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956\r\nPage 2 of 3\n\nFormer Senior Editor, Dark Reading\r\nKelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and\r\nanalysis. She is a business technology journalist who previously reported for InformationWeek, where she covered\r\nMicrosoft, and Insurance \u0026 Technology, where she covered financial services. Sheridan earned her BA in English\r\nat Villanova University. You can follow her on Twitter @kellymsheridan.\r\nSource: https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956\r\nhttps://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956" ], "report_names": [ "1340956" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434203, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5e33736f1937d64cb7f137c0bf19c01456836e3.pdf", "text": "https://archive.orkl.eu/e5e33736f1937d64cb7f137c0bf19c01456836e3.txt", "img": "https://archive.orkl.eu/e5e33736f1937d64cb7f137c0bf19c01456836e3.jpg" } }