{ "id": "ac2d1c00-7c3e-4cfe-bf30-b675c448c3ae", "created_at": "2026-04-06T00:08:41.68714Z", "updated_at": "2026-04-10T03:37:40.683301Z", "deleted_at": null, "sha1_hash": "eaa275adc32aa1dd605ae180a54eccc6aedaa420", "title": "[Kimsuky] Operation Covert Stalker - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 960925, "plain_text": "[Kimsuky] Operation Covert Stalker - ASEC\r\nBy ATCP\r\nPublished: 2023-10-31 · Archived: 2026-04-05 16:25:03 UTC\r\nOn May 3rd, 2022, AhnLab posted an analysis on the ASEC blog under the title “Distribution of Malicious\r\nWord File Related to North Korea’s April 25th Military Parade”.\r\n[+] Analysis of Malware Disguised with Military Parade Content: https://asec.ahnlab.com/en/33936/\r\nThis report is based on 17 months of tracking and analysis of the Kimsuky group’s hacking activities (C2\r\noperations, management, sending hacking emails, distributing malware, etc.) that share similar patterns with the\r\nmajor characteristics (C2, web shells, etc.) explained in the analysis above. The Kimsuky group’s hacking\r\nactivities included sending phishing emails and hacking emails with malware attachments to certain individuals or\r\norganizations involved in the field of North Korea, politics, diplomacy, and security with the purpose of stealing\r\nemail accounts and important materials. The group carried out covert and persistent hacking to achieve its\r\npurpose, which is why we named this operation “Operation Covert Stalker”. The report also explains why we\r\nbelieve the Kimsuky group is behind the hacking activities.\r\n[+] Report Summary \r\n– Phishing emails disguised with legitimate URLs or hacking emails with malware attachments have been sent\r\nto certain individuals or organizations involved in the field of North Korea, politics, diplomacy, and\r\nsecurity.\r\nhttps://asec.ahnlab.com/en/58654/\r\nPage 1 of 2\n\n– The RDP vulnerability (CVE-2019-0708) was exploited in Windows systems, and unidentified\r\nvulnerabilities were exploited in vulnerable websites for hacking.\r\n– An account for accessing RDP has been created to gain persistence in connection and installed additional\r\nremote control programs such as RDP Wrapper, Quasar RAT, Ammy RAT, AnyDesk, and TeamViewer.\r\n– Various malicious behaviors have been carried out, such as searching for targets for hacking, sending hacking\r\nemails, scanning for the RDP vulnerability (CVE-2019-0708), and testing malware.\r\n– Targets have been infected with the BlackBit ransomware and victims have been led to pay the ransom for\r\nrecovery.\r\n– C2 have been configured, managed, and operated via web shells (Green Dinosaur, WebadminPHP, and other\r\nunknown web shells).\r\n– Some malware included North Korean expressions such as “련동” (“ryeondong”, integration), “봉사기”\r\n(“bongsagi”, server), and “대명부” (“daemyeonbu”, interface).\r\n[+] Download Report: 20231101_Kimsuky_OP. Covert Stalker (This report supports Korean only for now.)\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/58654/\r\nhttps://asec.ahnlab.com/en/58654/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/58654/" ], "report_names": [ "58654" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eaa275adc32aa1dd605ae180a54eccc6aedaa420.pdf", "text": "https://archive.orkl.eu/eaa275adc32aa1dd605ae180a54eccc6aedaa420.txt", "img": "https://archive.orkl.eu/eaa275adc32aa1dd605ae180a54eccc6aedaa420.jpg" } }