To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission

2020-09-30 • PWC •

https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf

#Kimsuky #AppleSeed #BabyShark #BlackBanshee #FlowerPower

Attachments

VB2020-46.pdf (2 MB)

Thumbnail for To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission

The Virus Bulletin presentation maps Kimsuky/Black Banshee tradecraft across complementary campaigns targeting South Korean government and media, defense and aerospace, diplomacy, national-security policy, cryptocurrency, and North Korea-related research communities. It clusters BabyShark, AppleSeed, GoldDragon/GHOST419, FlowerPower, WildCommand, and related activity by shared malware routines, C2 URL structures, server-side scripts, and infrastructure pivots. The source highlights recurring artifacts such as the WebKitFormBoundarywhpFxMBe19cSjFnG boundary, VBScript-based sequential downloaders, PowerShell victim-profiling implants, Run Key persistence, encoded HTTP POST exfiltration, and C2 paths including jonashartley and datastore infrastructure. The analysis treats those overlaps as evidence for how Kimsuky campaigns support broader North Korea-linked espionage objectives.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	mygamesonline.org	2020-03-20	2025-05-13
DOMAIN	myartsonline.com	2020-09-30	2024-09-05
DOMAIN	atwebpages.com	2018-02-02	2024-09-05
DOMAIN	ccdcoe.org	2020-09-30	2022-10-28
IPv4	45.13.135.103	2020-03-04	2021-06-01
DOMAIN	ramble.myartsonline.com	2020-09-30	2021-05-01
HASH	9e004a659e8cb6236ac56671e4afa4b…	2020-09-30	2020-09-30
HASH	d36ac36d278c264362ec31e116a46da…	2020-09-30	2020-09-30
HASH	66ac66a8e2d8560f8287bfb23f0964c…	2020-09-30	2020-09-30
URL	http://www.hani.co.kr/arti/PRIN…	2020-09-30	2020-09-30
URL	https://jonashartley.com/	2020-09-30	2020-09-30
URL	https://www.dailysecu.com/news/…	2020-09-30	2020-09-30
URL	https://jonashartley.com	2020-09-30	2020-09-30
URL	http://suzuki.datastore.pe.hu/?…	2020-09-30	2020-09-30
URL	http://jonashartley.com	2020-09-30	2020-09-30
DOMAIN	ma1l-help.com	2020-09-30	2020-09-30
DOMAIN	org-help.com	2020-09-30	2020-09-30
DOMAIN	blog.prevailion.com	2020-09-30	2020-09-30
DOMAIN	user.mai1-help.com	2020-09-30	2020-09-30
DOMAIN	jonashartley.com	2020-09-30	2020-09-30
DOMAIN	manager-alert.com	2020-09-30	2020-09-30
DOMAIN	suzuki.datastore.pe.hu	2020-03-04	2020-09-30

Related Actors

Black Banshee

PWC

Kimsuky

First seen: Feb 2020

Last seen: May 2026

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2023-11-13 • 52% Match

2023 Sep - Threat Trend Report on Kimsuky Group

Ahnlab

#Kimsuky #AppleSeed #BabyShark #FlowerPower #RandomQuery

Shares tags: Kimsuky, AppleSeed, BabyShark

2023-10-23 • 52% Match

2023 Aug - Threat Trend Report on Kimsuky Group

Ahnlab

#Kimsuky #AppleSeed #BabyShark #FlowerPower #RandomQuery

Shares tags: Kimsuky, AppleSeed, BabyShark

2021-02-28 • 51% Match

Cyber Threats 2020: A Year in Retrospect

PWC

#AppleSeed #BlackBanshee #BlackArtemis #VeraPort #ShowState #BlackShoggoth #T1082 #T1140 #T1005 #T1070.004 #T1041 #T1083 #T1056.001 #T1036 #T1027 #T1071 #T1204 #T1057 #T1547.001 #T1566 #T1059 #T1195 #T1490 #T1486 #T1489 #T1133 #T1068 #T1221 #T1187

Shares tags: AppleSeed, BlackBanshee • Same author: PWC

2020-10-27 • 48% Match

North Korean Advanced Persistent Threat Focus: Kimsuky

USCISA

#Kimsuky #T1082 #T1070.004 #T1560 #T1083 #T1056.001 #T1059.006 #T1566.002 #T1566.001 #T1547.001 #T1059.001 #T1003 #T1219 #T1055 #T1573.001 #T1189 #T1548.002 #T1074.001 #T1562.004 #T1550.002 #T1218.005 #T1547 #T1021.001 #T1114.003 #T1040 #T1546.001 #T1505.003 #T1185

Shares tag: Kimsuky • Published within a month

2020-09-28 • 48% Match