analyst@nohacky:~/threat-actors$
cat/threat-actors/kimsuky
analyst@nohacky:~/kimsuky.html
active threat profile
type Nation-State / APT
threat_level High
status Active
origin North Korea (DPRK)
last_updated 2026-03-13
KS
kimsuky

Kimsuky (APT43)

also known as: APT43 Black Banshee Velvet Chollima Emerald Sleet THALLIUM TA427 Springtail Sparkling Pisces Graceful Spider

A North Korean state-sponsored cyber espionage group attributed with moderate confidence to the Reconnaissance General Bureau (RGB), the DPRK's primary foreign intelligence service. Active since at least 2012, Kimsuky specializes in intelligence collection on foreign policy, nuclear security, and defense issues through highly targeted social engineering, credential harvesting, and spearphishing campaigns. The group also conducts financially motivated cybercrime operations to self-fund its espionage mission.

attributed origin North Korea (DPRK)
state sponsor Reconnaissance General Bureau (RGB)
first observed ~2012
primary motivation Espionage / Intelligence Collection / Financial
primary targets Think Tanks, Government, Academia, Defense, Nuclear Policy
confirmed victims 3,000+ U.S. organizations (TA505/broader); global scope
mitre att&ck group G0094
target regions South Korea, United States, Japan, Europe, APAC
threat level High

Overview

Kimsuky is a North Korean cyber espionage operation that has been active since at least 2012, when it was first identified targeting South Korean think tanks, nuclear power operators, and the Ministry of Unification. Mandiant formally designated the group as APT43 in March 2023, distinguishing it from other DPRK cyber operations while acknowledging significant overlap with activity previously attributed to Kimsuky and THALLIUM by other vendors. The group is assessed with moderate confidence to report to the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service.

What sets Kimsuky apart from other North Korean threat actors is its emphasis on social engineering over technical sophistication. The group does not typically use zero-day exploits. Instead, it builds elaborate personas, impersonates journalists, think tank analysts, diplomats, and embassy staff, and engages in sustained email correspondence with targets to build trust before delivering payloads or extracting intelligence directly through conversation. In some documented cases, the operators successfully gathered strategic analysis from academic targets without ever deploying malware, simply by posing as a journalist covering North Korean missile tests.

The group also conducts financially motivated cybercrime operations, including cryptocurrency theft and credential harvesting for sale, to self-fund its espionage mission. This model is consistent with broader DPRK cyber strategy, where state-sponsored groups are expected to sustain themselves financially rather than operate on direct state funding. APT43 has been observed laundering stolen cryptocurrency through hash rental and cloud mining services to obscure the source of funds.

critical

In January 2026, the FBI issued a FLASH alert warning that Kimsuky had adopted QR code phishing (quishing) in 2025 campaigns targeting U.S. government entities, think tanks, and academic institutions. The group embeds malicious QR codes in spearphishing emails that route victims through attacker-controlled redirectors to mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals. This technique bypasses traditional URL inspection and EDR controls by targeting unmanaged mobile devices. ESET also documented Kimsuky experimenting with the ClickFix technique to target diplomatic entities and South Korean academia in Q2-Q3 2025.

Relationship to Other DPRK Groups

Kimsuky/APT43 operates alongside other DPRK cyber groups including the Lazarus Group (APT38), Andariel, Konni, and ScarCruft (APT37), but is assessed by Mandiant to be distinct and separate from these groups. There is evidence of limited collaboration and resource sharing between DPRK groups, particularly in tool usage. During the COVID-19 pandemic, APT43 temporarily used malware associated with the Lazarus Group, though this overlap was short-lived. The group has also used the "Lonejogger" cryptocurrency-stealing tool associated with UNC1069, likely connected to APT38. Australia sanctioned Kimsuky in November 2025 alongside Andariel and Lazarus under autonomous sanctions regulations targeting DPRK cyber operations.

Target Profile

Kimsuky's targeting directly reflects North Korea's strategic intelligence priorities. The group's focus shifts in response to Pyongyang's evolving geopolitical concerns, as demonstrated by a temporary pivot to health-related targets during the COVID-19 pandemic in 2021.

  • Think Tanks & Academic Institutions: The primary and most consistent target category. Kimsuky targets researchers, analysts, and policy experts focused on nuclear security, nonproliferation, Korean peninsula geopolitics, and North Korean human rights issues. Organizations in the U.S. and South Korea are particularly targeted, including universities, foreign policy research institutes, and strategic advisory firms. The 2025 quishing campaigns specifically targeted think tank leaders and senior fellows.
  • Government & Diplomatic Entities: South Korean government agencies (particularly the Ministry of Unification), U.S. government entities, the UN Security Council, the U.S. Department of State, and foreign embassies. The group impersonates embassy staff and diplomatic advisors in phishing campaigns to extract intelligence on Korean peninsula developments.
  • Defense & Nuclear Sectors: South Korean nuclear power operators, defense agencies including the Defense Counterintelligence Command, and organizations involved in the U.S. defense industrial base (DIB). Kimsuky's interest in nuclear security policy and nonproliferation information aligns directly with Pyongyang's strategic nuclear program.
  • Media & Journalism: Journalists covering North Korea are both impersonated for social engineering and targeted for intelligence collection. The group creates highly credible journalist personas to extract analysis from experts.
  • Cryptocurrency & Financial Targets: To fund operations, APT43 targets cryptocurrency exchanges and users with malicious apps and credential harvesting sites. The group has created spoofed websites impersonating major institutions like Cornell University and cryptocurrency platforms to harvest credentials.
  • Expanding APAC Scope: Activity has expanded beyond traditional South Korean and U.S. targets to include Japan, Vietnam, Thailand, and, as of 2025, Uzbekistan — a country not previously in Kimsuky's targeting scope.

Tactics, Techniques & Procedures

Kimsuky is characterized by aggressive social engineering, extensive credential harvesting, and a broad custom malware toolkit. The group does not typically exploit zero-day vulnerabilities but is highly effective at manipulating human targets through sophisticated impersonation and relationship building.

mitre idtechniquedescription
T1566 Phishing Core technique. Highly tailored spearphishing emails impersonating journalists, diplomats, think tank analysts, and embassy staff. Delivers malicious HWP (Hangul Word Processor) documents, CHM files, LNK shortcuts, ISO/VHD containers, and macro-enabled Word documents. In 2025, adopted QR code phishing (quishing) to target mobile devices and bypass MFA.
T1598 Phishing for Information Engages in extended email conversations to build rapport with targets and extract strategic intelligence without deploying malware. Has successfully gathered foreign policy analysis from academics through conversational social engineering alone.
T1056.003 Web Portal Capture Operates extensive credential harvesting infrastructure using spoofed login pages impersonating search engines, web platforms, cryptocurrency exchanges, and universities. In 2025 quishing campaigns, harvests credentials via mobile-optimized pages impersonating Microsoft 365, Okta, and VPN portals.
T1078 Valid Accounts Harvested credentials are used to log into victim accounts for direct intelligence collection, to impersonate victims in further phishing campaigns, and to register infrastructure for operations. Replays stolen session tokens to bypass MFA.
T1059 Command and Scripting Interpreter Extensive use of PowerShell, VBScript, and JavaScript for execution. BabyShark/LATEOP backdoor is built on Visual Basic scripts. ClickFix technique used in 2025 to trick victims into executing malicious commands.
T1204 User Execution Relies on victims opening malicious files delivered via spearphishing: HWP documents, CHM (Compiled HTML Help) files, LNK shortcut files disguised as documents, and ISO/VHD/ZIP/RAR containers designed to bypass initial security layers.
T1547 Boot or Logon Autostart Execution Establishes persistence through registry run keys, startup scripts, and cron jobs. The Larva-24005 campaign used MySpy malware and RDPWrap to maintain persistent remote access.
T1190 Exploit Public-Facing Application Exploits known (not zero-day) vulnerabilities including CVE-2019-0708 (BlueKeep RDP), CVE-2017-11882 (Office Equation Editor), and CVE-2017-0199 (Office OLE). No confirmed zero-day exploitation attributed to Kimsuky.
T1071.001 Web Protocols C2 communications over HTTP/HTTPS. A distinct IE11 user-agent string ("Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko") is a well-established IOC for Kimsuky C2 traffic.
T1036 Masquerading Creates elaborate fake personas using stolen PII, registers domains spoofing legitimate institutions, and builds credible cover identities for purchasing operational infrastructure. Deploys malicious Chrome extensions (TRANSLATEXT) that masquerade as translation tools.
T1553.002 Code Signing Uses revoked or fraudulently obtained code signing certificates (e.g., EGIS certificate) to sign malware binaries and evade security detection.
T1070.006 Timestomp Manipulates creation and compilation timestamps of malware samples, backdating them to thwart forensic investigation and confuse timeline analysis.

Known Campaigns

Confirmed or highly attributed operations linked to Kimsuky/APT43.

South Korean Nuclear Reactor Cyberattack 2014

Targeted Korea Hydro and Nuclear Power, the operator of South Korean nuclear reactors. Stole and publicly leaked internal documents including plant designs and employee personal data. One of the earliest high-profile incidents attributed to Kimsuky.

Operation Stolen Pencil 2018

Spearphishing campaign targeting academic institutions and think tanks in the United States. Used malicious Microsoft Word documents and browser-based credential theft to compromise researchers focused on nuclear policy and Korean peninsula issues.

UN Security Council & Foreign Ministries Campaign 2019 – 2020

Spearphishing campaign targeting the UN Security Council, the U.S. Department of State, and think tanks in the U.S. and Europe. Exploited CVE-2017-0199 in malicious Word documents to deliver the BabyShark backdoor. Attempted to hack 11 officials of the UN Security Council.

Operation AppleSeed 2021

Targeted South Korean government agencies using spearphishing emails with malicious attachments that installed the AppleSeed backdoor for remote data exfiltration and command execution. Demonstrated the group's continued focus on South Korean government intelligence.

COVID-19 Pandemic Targeting 2021

Temporarily pivoted to target pharmaceutical companies and healthcare organizations during the pandemic, reflecting Pyongyang's shift in intelligence priorities. Shared tooling with the Lazarus Group during this period in a rare instance of inter-group collaboration.

forceCopy Campaign 2024

Leveraged LNK malicious shortcut files and offshore VPS nodes (primarily Panama-hosted) for distribution. Targeted South Korean academia, government, and defense sectors. Demonstrated the group's evolution from macro-enabled documents to LNK file-based delivery.

Larva-24005 (BlueKeep Exploitation) APR 2025

AhnLab ASEC discovered Kimsuky exploiting the BlueKeep RDP vulnerability (CVE-2019-0708) alongside Office Equation Editor exploitation (CVE-2017-11882) for initial access. Deployed MySpy malware and RDPWrap for persistent remote access. Also distributed malware via email attachments.

QR Code Phishing (Quishing) Campaigns MAY – JUN 2025

FBI issued a FLASH alert (January 2026) documenting four distinct quishing scenarios observed in May-June 2025. Targets included think tank leaders, senior fellows, and strategic advisory firms. Emails spoofed foreign advisors and embassy employees, embedding malicious QR codes that led to mobile credential harvesting pages impersonating Microsoft 365, Okta, and VPN portals. Session tokens were stolen and replayed to bypass MFA.

ClickFix & DocSwap Campaigns Q2 – Q3 2025

ESET documented Kimsuky experimenting with the ClickFix social engineering technique to target diplomatic entities and South Korean think tanks and academia. Separately, ENKI identified Kimsuky distributing a malicious mobile application called DocSwap via QR codes in December 2025, expanding the group's mobile targeting capabilities.

Tools & Malware

Kimsuky maintains an extensive toolkit of custom malware alongside selective use of publicly available tools. The group continuously evolves its arsenal, building new variants and adapting to new platforms.

  • BabyShark / LATEOP: Kimsuky's signature backdoor, built on Visual Basic scripts. Automates system profiling, credential theft, and data exfiltration. First observed in 2018 and continuously updated. The foundational tool for the group's reconnaissance and persistence operations.
  • AppleSeed / AlphaSeed: Custom backdoor used for remote data exfiltration, command execution, and maintaining long-term access to compromised South Korean government systems. AlphaSeed is an evolved variant. Detected in honeypot login attempts through 2025.
  • KGH_SPY: Modular spyware suite providing reconnaissance, keylogging, information stealing, and backdoor capabilities. Discovered by Cybereason with anti-forensics features including timestomped binaries.
  • KimJongRAT / EndClient RAT: Remote access trojans under active development. KimJongRAT was observed being distributed via .hta files in November 2025. EndClient RAT was first documented in November 2025 with new IOCs.
  • TRANSLATEXT: Malicious Chrome browser extension masquerading as a translation tool. Steals email addresses, passwords, cookies, and browser data from targeted South Korean academics.
  • MySpy / RDPWrap: MySpy is custom malware deployed for persistent access. RDPWrap is a legitimate tool repurposed to enable and maintain Remote Desktop Protocol access on compromised systems.
  • Troll Stealer: Information stealer observed in February 2024, disguised as a Korean company application and signed with a valid certificate. Targets credentials and sensitive data.
  • PENCILDOWN / PENDOWN / VENOMBITE / EGGHATCH: Custom downloaders used in various campaign stages to retrieve and execute secondary payloads. PENCILDOWN has an Android variant for mobile targeting.
  • FlowerPower / RandomQuery: PowerShell and VBScript-based reconnaissance tools used for initial system profiling and intelligence gathering before deploying heavier payloads.
  • gh0st RAT / QuasarRAT / Amadey: Publicly available remote access tools deployed alongside custom malware for additional access and control capabilities.
  • Cobalt Strike: Commercial adversary simulation framework used in conjunction with Truebot downloader for post-exploitation and lateral movement in select campaigns.

Indicators of Compromise

Publicly available IOCs from CISA, FBI, and threat intelligence reports.

warning

Kimsuky uses complex infrastructure combining free-registered domains, compromised domains, and private domains. The group strategically uses offshore hosting (particularly Panama, U.S., U.K., and Germany) to complicate attribution and resist takedowns. IOCs have limited shelf life due to frequent infrastructure rotation. Cross-reference with CISA Alert AA20-301A and the latest FBI FLASH advisories.

known cves exploited
cve CVE-2019-0708 — Windows RDP BlueKeep Remote Code Execution
cve CVE-2017-11882 — Microsoft Office Equation Editor Stack Buffer Overflow
cve CVE-2017-0199 — Microsoft Office OLE Object Remote Code Execution
behavioral indicators
user-agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko — IE11 signature in C2 traffic (CISA/FBI documented IOC)
technique QR codes embedded in spearphishing email attachments routing to mobile credential harvesting pages (Microsoft 365, Okta, VPN portals)
technique LNK shortcut files disguised as documents containing hidden PowerShell commands or embedded binaries
technique CHM (Compiled HTML Help) files delivered inside ISO/VHD/ZIP/RAR containers to bypass initial security layers
infrastructure Offshore VPS hosting concentrated in Panama, with secondary infrastructure in U.S., U.K., and Germany
anti-forensics Timestomped malware binaries with creation dates backdated to 2016 despite domains registered 2019-2020

Mitigation & Defense

Recommended defensive measures for organizations in Kimsuky's target profile, based on CISA Alert AA20-301A, FBI FLASH advisories, and Mandiant guidance.

  • Implement phishing-resistant MFA: Kimsuky's 2025 quishing campaigns steal session tokens to bypass traditional MFA. Deploy FIDO2/WebAuthn-based authentication. Be aware that QR code phishing targets unmanaged mobile devices outside the scope of standard EDR and network security controls.
  • Train personnel on social engineering tactics: Kimsuky's strength lies in impersonation, not technical exploitation. Educate staff, especially researchers, policy analysts, and executives, to verify the identity of correspondents through independent channels before sharing sensitive analysis or clicking links. The group often builds rapport over multiple email exchanges before delivering payloads.
  • Enforce DMARC, DKIM, and SPF email policies: The FBI has specifically warned about Kimsuky exploiting weak DMARC security policies to mask social engineering attempts. Configure strict email authentication to prevent domain spoofing.
  • Block known file delivery vectors: Monitor and restrict execution of HWP files, CHM files, LNK shortcuts, and ISO/VHD containers in enterprise environments. These are Kimsuky's primary malware delivery mechanisms. Configure application allowlisting and disable Windows Script Host where not required.
  • Monitor for anomalous RDP and remote access activity: Kimsuky exploits BlueKeep and deploys RDPWrap to maintain persistent remote access. Ensure all RDP-capable systems are patched, restrict RDP exposure, and monitor for unauthorized remote access tool installations.
  • Hunt for known C2 indicators: The IE11 user-agent string documented by CISA is a persistent Kimsuky C2 indicator. Monitor network traffic for legacy browser signatures from systems that should not be using Internet Explorer 11.
  • Protect credential infrastructure: Kimsuky operates extensive fake login page infrastructure. Deploy browser-based phishing protection, monitor for spoofed institutional login portals, and educate users to verify URLs before entering credentials.
  • Audit browser extensions: Kimsuky has deployed malicious Chrome extensions (TRANSLATEXT) targeting academic users. Enforce browser extension policies, require administrative approval for new extensions, and audit installed extensions regularly.
note

Kimsuky's primary innovation is social, not technical. The group excels at impersonating trusted individuals and institutions to extract intelligence through conversation. Organizations focused on Korean peninsula policy, nuclear security, and defense issues should treat unsolicited emails from unfamiliar contacts — even those appearing to be from known organizations — with heightened suspicion. Verify identities through independent communication channels before engaging in substantive discussions or opening attachments.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile