CSW2022_Kimsuky.pdf (1 MB)

The CSW2022 Kimsuky presentation outlines the actor also known as Thallium and describes its targeting of South Korea, Japan, the United States, China, and sectors including government, diplomacy, defense, think tanks, NGOs, journalists, defectors, academia, cryptocurrency, and e-commerce. It summarizes Kimsuky's capabilities across phishing, compromised web servers, free and commercial hosting, private email services, multi-stage infection chains, malicious documents, CHM files, HTA/VBS scripts, and PowerShell injection. The infection scheme includes fingerprinting, stealing browser passwords, keylogging, file listing, and other tooling delivered through staged scripts and decoys.