APT PROFILE – KIMSUKI

Kimsuki, an advanced persistent threat (APT) group active since at least 2012, is suspected to be operating out of North Korea in direct support of the regime’s strategic objectives. The group’s intelligence collection priorities are closely aligned with the mission of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence agency. Kimsuki possesses moderately sophisticated technical capabilities and is known for employing highly targeted social engineering tactics, especially against South Korean and U.S.-based government agencies, academics, and think tanks focused on geopolitical issues related to the Korean Peninsula. In addition to its espionage operations, Kimsuki engages in cybercriminal activities to generate revenue, helping to finance its overarching mission of acquiring strategic intelligence.

Alias: APT43, Thallium, Velvet Chollima, Black Banshee, Emerald Sleet

Motivation: Cyber Espionage, Strategic Intelligence Collection, Credential Theft

Targeted Industries

Targeted Country
Belgium, Bulgaria, Canada, Croatia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Montenegro, North Macedonia, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, the Czech Republic, Netherlands, Albania, Japan, South Korea, Thailand, USA, Vietnam.

Target Technologies: Office Suites Software, Operating System, Web Application

Targeted Regions: East Asia, Southeast Asia, Asia-Pacific, North America, Europe, and globally

Tools Used by Kimsuki: BabyShark, AppleSeed (KGH_SPY), AlphaSeed, GoldDragon, Custom Phishing Frameworks, Browser Credential Stealers, PowerShell, MSHTA, WMIC, Certutil, BITSAdmin.

Malware used by Kimsuki: BabyShark, AppleSeed, AlphaSeed, GoldDragon, KGH_SPY variants, Custom Android Spyware, Lightweight Downloaders.

Attack flow diagram of Threat actor APT Kimsuki

Kimsuki’s Recent Campaign Highlights and Trends

Campaign highlights

• Recent Kimsuki campaigns demonstrate a shift to identity-centric espionage, prioritizing credential harvesting over heavy malware for persistent, low-detection access to diplomatic, academic, and government targets.
• QR-code-based spearphishing has been operationalized, embedding malicious QR codes in emails and documents that redirect to spoofed login portals, often via mobile devices to bypass enterprise security.
• Mobile attack vectors expanded with malicious Android apps distributed through phishing sites and QR lures, enabling credential interception, including MFA-protected accounts and ongoing surveillance.
• Lightweight backdoors like BabyShark and AppleSeed remain core, facilitating system reconnaissance, keylogging, screenshot capture, and discreet data exfiltration in these operations.

Tactical and Strategic Trends

• Kimsuki’s operations prioritize account compromise over full endpoint takeover, targeting email and cloud identities to access sensitive communications and shared data while minimizing forensic artifacts.
• Victim interaction shifts to low-visibility environments like mobile devices and web-based login portals, reducing exploit reliance and extending dwell time within organizations.
• Multi-channel social engineering builds trust via extended engagement across email, social media, and messaging platforms, paired with living-off-the-land techniques using native system utilities.
• Command-and-control infrastructure leverages compromised legitimate servers and cloud services for enhanced resilience and takedown resistance.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework