Etnews2018_Kimsuky.pdf (6 MB)

Kaspersky's 2018 Kimsuky presentation tracks the group's return in the 2016 to 2017 Fairy Tale activity against South Korean companies, government targets, and individuals. The deck describes a GoldDragon-centered malware cluster that collects system information, uploads results, downloads and extracts payloads, and monitors opened HWP files to decrypt embedded content. Follow-on components include BravePrince, BeautyandtheBeast command execution, a custom TeamViewer installer, a rogue administrator account routine, and a RAT loader. The attribution section links the activity to earlier Kimsuky reporting through Korean locale artifacts, Korean debug messages, TeamViewer lineage, exfiltration patterns, and shared implementation traits.