VB2019-Kim.pdf (26 MB)

The Financial Security Institute presentation tracks Kimsuky as a North Korea-linked spear-phishing actor active since at least 2013 and still operating in 2019, targeting infrastructure, government, North Korean defectors, politicians, diplomatic and human-rights organizations for intelligence collection and social disruption. It catalogs the group’s server-side phishing toolchain—mailer components, beacons, phishing pages and loggers—alongside malicious HWP and camouflaged documents, scripts, downloaders and info-stealers used to deliver payloads and harvest accounts or host information. Case studies show defenders using the actor’s OPSEC failures, including directory listing, leaked FTP credentials and file-download vulnerabilities, to discover malware, mailer infrastructure and C2 relationships such as suppcrt-seourity[.]esy.es, member-authorize[.]com, ddlovke[.]kr and military[.]co.kr. The slides emphasize proactive tracking and cooperation with relevant agencies because monitoring attacker infrastructure exposed new malware, server-side toolkits and links between compromised Korean sites and hosting services.