Sophos profiles NICKEL KIMBALL as a North Korea-linked espionage group active since at least 2012 and aligned with aliases including Kimsuky, APT43, Emerald Sleet, THALLIUM, TA406, TA427, SharpTongue, and Velvet Chollima. The group targets NGOs, think tanks, diplomatic agencies, military organizations, economic groups, and research entities involved in North Korea policy and relations, and it seeks access to online accounts and networks to track defectors and their relatives. Its operations rely on extensive spear-phishing, typosquatting, target-themed domains, and customized social engineering informed by public personal information. The profile notes delivery via malicious HWP documents for South Korean targets and later Microsoft Word/PDF lures internationally, with malware families including Kimsuky RAT, KimJongRAT, KONNI, and BabyShark.