Kimsuky's Phishing and Payload Tactics
2024-07-16 • Rapid7 •
Attachments
Rapid7 details Kimsuky phishing operations tied to North Korea’s Reconnaissance General Bureau, with targeting against government, research, academic, and think-tank organizations aligned with DPRK strategic interests. The group builds trust through multi-message email threads, persona work, and routine correspondence before delivering credential phish or container-based payloads such as password-protected archives, LNK files, and CHM files. Rapid7 also notes DMARC spoofing, payload hosting on public storage or Kimsuky infrastructure, and a Korean-language “Mail Sending Program” phishing tool that supports scalable campaign operations.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://medium-com.translate.go… | 2024-07-16 | 2024-07-16 |
| DOMAIN | medium-com.translate.goog | 2024-07-16 | 2024-07-16 |
Related Actors
Related Reports
2024-07-19 •
66% Match
#Trend
#Andariel
#Kimsuky
#MoonstoneSleet
#Lazarus
#T1082
#T1059.003
#T1090
#T1140
#T1005
#T1070.004
#T1041
#T1113
#T1555
#T1560
#T1071.001
#T1046
#T1112
#T1115
#T1083
#T1497
#T1056.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1555.003
#T1071
#T1124
#T1222
#T1552
#T1057
#T1583.003
#T1518.001
#T1547.001
#T1053.005
#T1539
#T1608.005
#T1583.001
#T1059.001
#T1053
#T1552.001
#T1566
#T1059
#T1003
#T1497.001
#T1102.001
#T1574.002
#T1562.001
#T1490
#T1486
#T1129
#T1133
#T1571
#T1548
#T1190
#T1203
#T1564.001
#T1087
#T1562.004
#T1218.011
#T1070.006
#T1547
#T1068
#T1614
#T1573
#T1095
#T1562
#T1070
#T1047
#T1056
#T1176
#T1010
#T1033
#T1569.002
#T1543.003
#T1485
#T1012
#T1202
#T1087.002
#T1021.004
#T1222.001
#T1518
#T1564.003
#T1505.003
#T1069.002
#T1564
#T1595.002
#T1027.005
#T1070.001
#T1056.004
#T1584
Shares tags: Kimsuky, T1547.001, T1053.005 • Published within a week
2024-09-12 •
63% Match
#Kimsuky
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1005
#T1070.004
#T1587.001
#T1041
#T1608.001
#T1071.001
#T1112
#T1083
#T1056.001
#T1059.006
#T1204.001
#T1059.007
#T1036
#T1027
#T1204.002
#T1566.002
#T1555.003
#T1057
#T1059.005
#T1583.006
#T1518.001
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1598.003
#T1583.001
#T1059.001
#T1036.005
#T1552.001
#T1585.001
#T1105
#T1219
#T1055
#T1553.002
#T1562.001
#T1027.002
#T1133
#T1190
#T1098
#T1016
#T1074.001
#T1588.002
#T1055.012
#T1587
#T1078.003
#T1071.002
#T1562.004
#T1550.002
#T1111
#T1071.003
#T1591
#T1003.001
#T1218.011
#T1593.002
#T1586.002
#T1588.005
#T1583.004
#T1036.004
#T1589.003
#T1594
#T1218.010
#T1557
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1021.001
#T1560.001
#T1176
#T1136.001
#T1543.003
#T1012
#T1534
#T1560.003
#T1007
#T1564.003
#T1114.003
#T1114.002
#T1564.002
#T1040
#T1546.001
#T1505.003
Shares tags: Kimsuky, T1547.001, T1053.005
2024-08-05 •
53% Match
#Andariel
#Kimsuky
#TrollAgent
#DoraRAT
#T1119
#T1005
#T1041
#T1113
#T1071.001
#T1083
#T1036
#T1204.002
#T1195
#T1027.002
#T1189
#T1573.002
#T1074.001
#T1217
Shares tags: Kimsuky, T1074.001 • Published within a month
Shares tags: Kimsuky, T1547.001 • Same author: Rapid7
2026-05-14 •
46% Match
#Kimsuky
#Phishing
#AppleSeed
#PebbleDash
#BlackBanshee
#VelvetChollima
#GitHub
#ADS
#APT43
#RubySleet
#Springtail
#HappyDoor
#JSE
#SparklingPisces
#HttpTroy
#VSCode
#T1059.003
#T1005
#T1041
#T1113
#T1071.001
#T1056.001
#T1027
#T1566.001
#T1547.001
#T1053.005
#T1059.001
#T1105
#T1219
#T1543.003
Shares tags: Kimsuky, T1547.001, T1053.005
Shares tag: Kimsuky • Published within a month