ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Kimsuky, Velvet Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Kimsuky, Velvet Chollima

NamesKimsuky (Kaspersky)
Velvet Chollima (CrowdStrike)
Thallium (Microsoft)
Black Banshee (PWC)
SharpTongue (Volexity)
TA406 (Proofpoint)
TA427 (Proofpoint)
APT 43 (Mandiant)
Emerald Sleet (Microsoft)
KTA082 (Kroll)
UAT-5394 (Talos)
Sparkling Pisces (Palo Alto)
Springtail (Symantec)
CountryNorth Korea North Korea
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.
ObservedSectors: Defense, Education, Energy, Government, Healthcare, Manufacturing, Think Tanks and Ministry of Unification, Sejong Institute and Korea Institute for Defense Analyses.
Countries: Japan, South Korea, Thailand, USA, Vietnam and Europe.
Tools usedAppleSeed, BabyShark, BITTERSWEET, CSPY Downloader, FlowerPower, Gh0st RAT, Gold Dragon, Grease, KGH_SPY, KimJongRAT, Kimsuky, KPortScan, MailPassView, Mechanical, Mimikatz, MoonPeak, MyDogs, Network Password Recovery, ProcDump, PsExec, ReconShark, Remote Desktop PassView, SHARPEXT, SmallTiger, SniffPass, SWEETDROP, TODDLERSHARK, TRANSLATEXT, Troll Stealer, VENOMBITE, WebBrowserPassView, xRAT, Living off the Land.
Operations performed2013For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks.
2014The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter.
Mar 2018Operation “Baby Coin”
May 2018Operation “Stolen Pencil”
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018.
Oct 2018Operation “Mystery Baby”
Nov 2018The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues.
Jan 2019Operation “Kabar Cobra”
On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps.
Apr 2019Operation “Stealth Power”
Apr 2019Operation “Smoke Screen”
<[email protected]>
Jul 2019Operation “Red Salt”
Jul 2019In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials.
Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry.
Feb 2020We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.
Feb 2020North Korea has tried to hack 11 officials of the UN Security Council
Mar 2020According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic.
The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky.
Dec 2020We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application.
Dec 2020Kimsuky APT continues to target South Korean government using AppleSeed backdoor
2021Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
May 2021South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology.
May 2021North Korean hackers breached major hospital in Seoul to steal data
Jun 2021North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
Sep 2021SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
Jan 2022On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.
Early 2022Kimsuky’s GoldDragon cluster and its C2 operations
Apr 2022Operation “Covert Stalker”
Oct 2022Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
2023Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
2023From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
Feb 2023Malware Disguised as Normal Documents
Mar 2023CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
Mar 2023North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign
Mar 2023OneNote Malware Disguised as Compensation Form (Kimsuky)
Apr 2023DPRK hacking groups breach South Korean defense contractors
May 2023Kimsuky Distributing CHM Malware Under Various Subjects
May 2023Kimsuky Group Using Meterpreter to Attack Web Servers
May 2023Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
May 2023Ongoing Campaign Using Tailored Reconnaissance Toolkit
May 2023North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media
Jun 2023Malware Disguised as HWP Document File (Kimsuky)
Jul 2023Kimsuky Threat Group Using Chrome Remote Desktop
Jul 2023Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)
Aug 2023North Korean hackers target U.S.-South Korea military drills, police say
Oct 2023Kimsuky Threat Group Uses RDP to Control Infected Systems
Nov 2023Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
Nov 2023SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)
Dec 2023Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
2024Operation “DEEP#GOSU”
Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
Jan 2024Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer
Jan 2024TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)
Jan 2024North Korean hackers exploit VPN update flaw to install malware
Mar 2024TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
Mar 2024Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)
Mar 2024Kimsuky deploys TRANSLATEXT to target South Korean academia
Mar 2024Attack Activities by Kimsuky Targeting Japanese Organizations
May 2024North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign
May 2024Springtail: New Linux Backdoor Added to Toolkit
Jun 2024Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
Jun 2024MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
Jul 2024APT Group Kimsuky Targets University Researchers
Sep 2024North Korea Hackers Linked to Breach of German Missile Manufacturer
Sep 2024North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks
Sep 2024How North Korean APT groups exploit DMARC misconfigurations — and what you can do about it
Counter operationsDec 2019Microsoft takes court action against fourth nation-state cybercrime group
Nov 2023Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group

Last change to this card: 28 December 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]