aryaka-kimsuky-apt-operational-blueprint.pdf (8 MB)

Aryaka Threat Research Labs attributes the activity to Kimsuky, also tracked as APT43, Thallium, and Velvet Chollima, and frames it as North Korean cyber-espionage supporting geopolitical, military, and economic intelligence collection. The campaign targets South Korean government agencies, defense contractors, and policy think tanks through tailored social engineering and malicious LNK files disguised with decoy documents resembling public South Korean government material. The infection chain uses obfuscated scripts and trusted system utilities for living-off-the-land execution, followed by system profiling, credential and document theft, keylogging, clipboard capture, and small-segment exfiltration over normal web traffic. The report matters because it shows Kimsuky combining deception, stealthy malware, and legitimate tooling to reduce detection opportunities in distributed enterprise environments.