North Korean APT Kimsuky aka Black Banshee – Active IOCs
2025-04-18 • Rewterz •
https://rewterz.com/threat-advisory/north-korean-apt-kimsuky-aka-black-banshee-active-iocs-45
Rewterz profiles Kimsuky, also tracked as Black Banshee, as a North Korean espionage group using phishing, malware infections, supply-chain compromise, lateral movement, and data exfiltration against targets in South Korea, Japan, the United States, and other regions. The source ties earlier mobile operations to FastFire, FastViewer, and FastSpy Android malware that used Firebase as command-and-control infrastructure and targeted South Korean users. It also notes ReconShark, an evolution of BabyShark, as reconnaissance malware used in a global cyberespionage campaign. The advisory provides active hash and network indicators, including holosformations.fr and 103.149.98.247 URLs, for defensive blocking and hunting.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 89a725b08ab0e8885fc03b543638be96 | 2025-04-18 | 2025-07-01 |
| IPv4 | 103.149.98.247 | 2025-04-18 | 2025-07-01 |
| HASH | a9b1c04438930c0c7cff3fe8e8520317 | 2025-04-18 | 2025-05-19 |
| HASH | 20443f517f22b292d63e7e06d9713b7… | 2025-04-18 | 2025-05-06 |
| HASH | 42f306b905ece8875bdf16d276b8e4c… | 2025-04-18 | 2025-05-06 |
| HASH | 6f5259f7087cc501d776f28bede938e… | 2025-04-18 | 2025-04-18 |
| HASH | 869705fd4dd777d4ab5c662806b42fe… | 2025-04-18 | 2025-04-18 |
| HASH | 3be92f172c64d4c827b524da81038ef… | 2025-04-18 | 2025-04-18 |
| HASH | 7bed4de469d5f23f35f835d6bf1b767… | 2025-04-18 | 2025-04-18 |
| HASH | 6013a54ceee15912385ef8c41405a819 | 2025-04-18 | 2025-04-18 |
| URL | https://www.holosformations.fr/… | 2025-04-18 | 2025-04-18 |