G0094 Kimsuky
Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing.2685109 Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions.
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).371
In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.12
| Item | Value |
|---|---|
| ID | G0094 |
| Associated Names | Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427, Springtail |
| Version | 5.1 |
| Created | 26 August 2019 |
| Last Modified | 12 November 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Black Banshee | 68 |
| Velvet Chollima | 4158 |
| Emerald Sleet | 119 |
| THALLIUM | 68109 |
| APT43 | 109 |
| TA427 | 9 |
| Springtail | 13 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.007 | Additional Local or Domain Groups | Kimsuky has added accounts to specific groups with net localgroup.17 |
| enterprise | T1583 | Acquire Infrastructure | Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.10 |
| enterprise | T1583.001 | Domains | Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.1524568171018 |
| enterprise | T1583.004 | Server | Kimsuky has purchased hosting servers with virtual currency and prepaid cards.17 |
| enterprise | T1583.006 | Web Services | Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.16 Kimsuky has also leveraged Dropbox for hosting payloads and uploading victim system information. 19 |
| enterprise | T1557 | Adversary-in-the-Middle | Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.5 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Kimsuky has used HTTP GET and POST requests for C2.16 |
| enterprise | T1071.002 | File Transfer Protocols | Kimsuky has used FTP to download additional malware to the target machine.20 |
| enterprise | T1071.003 | Mail Protocols | Kimsuky has used e-mail to send exfiltrated data to C2 servers.5 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Kimsuky has used QuickZip to archive stolen files before exfiltration.16 |
| enterprise | T1560.003 | Archive via Custom Method | Kimsuky has used RC4 encryption before exfil.14 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key.145231617 |
| enterprise | T1185 | Browser Session Hijacking | Kimsuky has the ability to use form-grabbing to extract emails and passwords from web data forms.22 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.25161710 Kimsuky has also utilized PowerShell scripts for execution, persistence, and defense evasion.19 |
| enterprise | T1059.003 | Windows Command Shell | Kimsuky has executed Windows commands by using cmd and running batch scripts.1617 |
| enterprise | T1059.005 | Visual Basic | Kimsuky has used Visual Basic to download malicious payloads.15202316 Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.16 |
| enterprise | T1059.006 | Python | Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.517 |
| enterprise | T1059.007 | JavaScript | Kimsuky has used JScript for logging and downloading additional tools.205 Kimsuky has used TRANSLATEXT, which contained four Javascript files for bypassing defenses, collecting sensitive information and screenshots, and exfiltrating data.22 |
| enterprise | T1586 | Compromise Accounts | - |
| enterprise | T1586.002 | Email Accounts | Kimsuky has compromised email accounts to send spearphishing e-mails.208 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.001 | Domains | Kimsuky has compromised legitimate sites and used them to distribute malware.171018 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Kimsuky has created accounts with net user.17 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Kimsuky has created new services for persistence.145 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft’s WebBrowserPassView tool to dump the passwords obtained from victims.45316 |
| enterprise | T1005 | Data from Local System | Kimsuky has collected Office, PDF, and HWP documents from its victims.1416 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.516 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kimsuky has decoded malicious VBScripts using Base64.16 Kimsuky has also decoded malicious PowerShell scripts using Base64.19 |
| enterprise | T1587 | Develop Capabilities | Kimsuky created and used a mailing toolkit to use in spearphishing attacks.20 |
| enterprise | T1587.001 | Malware | Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.171610 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.17 |
| enterprise | T1114.003 | Email Forwarding Rule | Kimsuky has set auto-forward rules on victim’s e-mail accounts.5 |
| enterprise | T1585 | Establish Accounts | Kimsuky has leveraged stolen PII to create accounts.18 |
| enterprise | T1585.001 | Social Media Accounts | Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.17 |
| enterprise | T1585.002 | Email Accounts | Kimsuky has created email accounts for phishing operations.17109 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.001 | Change Default File Association | Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.14 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Kimsuky has exfiltrated data over its C2 channel.1416 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.16 Kimsuky has also leveraged Dropbox for uploading victim system information.19 |
| enterprise | T1190 | Exploit Public-Facing Application | Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.17 |
| enterprise | T1133 | External Remote Services | Kimsuky has used RDP to establish persistence.5 |
| enterprise | T1083 | File and Directory Discovery | Kimsuky has the ability to enumerate all files and directories on an infected system.141617 |
| enterprise | T1657 | Financial Theft | Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.1018 |
| enterprise | T1589 | Gather Victim Identity Information | - |
| enterprise | T1589.002 | Email Addresses | Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.8918 |
| enterprise | T1589.003 | Employee Names | Kimsuky has collected victim employee name information.17 |
| enterprise | T1591 | Gather Victim Org Information | Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.17 Kimsuky has also used large language models (LLMs) to gather information about potential targets of interest.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.002 | Hidden Users | Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.17 |
| enterprise | T1564.003 | Hidden Window | Kimsuky has used an information gathering module that will hide an AV software window from the victim.16 Kimsuky has also been known to use -WindowStyle Hidden to conceal PowerShell windows.19 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.1416 |
| enterprise | T1562.004 | Disable or Modify System Firewall | Kimsuky has been observed disabling the system firewall.14 |
| enterprise | T1656 | Impersonation | Kimsuky has impersonated academic institutions and NGOs in order to gain information related to North Korea.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.141617 Kimsuky has deleted files using the Remove-Item PowerShell commandlet to remove traces of executed payloads.19 |
| enterprise | T1070.006 | Timestomp | Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.6 |
| enterprise | T1105 | Ingress Tool Transfer | Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.162319 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.214531617 |
| enterprise | T1534 | Internal Spearphishing | Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.17 |
| enterprise | T1680 | Local Storage Discovery | Kimsuky has enumerated drives.1416 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Kimsuky has disguised services to appear as benign software or related to operating system functions.519 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.26 Kimsuky has also disguised payloads using legitimate file names including a PowerShell payload named chrome.ps1. 19 |
| enterprise | T1036.007 | Double File Extension | Kimsuky has used an additional filename extension to hide the true file type. Kimsuky has also masqueraded malicious LNK files as PDF objects using the double extension .pdf.lnk.19 |
| enterprise | T1112 | Modify Registry | Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.5231617 |
| enterprise | T1111 | Multi-Factor Authentication Interception | Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.17 |
| enterprise | T1040 | Network Sniffing | Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.53 |
| enterprise | T1027 | Obfuscated Files or Information | Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.1520 Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.16 |
| enterprise | T1027.001 | Binary Padding | Kimsuky has performed padding of PowerShell command line code with over 100 spaces.19 |
| enterprise | T1027.002 | Software Packing | Kimsuky has packed malware with UPX.8 |
| enterprise | T1027.010 | Command Obfuscation | Kimsuky has encoded malicious PowerShell scripts using Base64.19 |
| enterprise | T1027.012 | LNK Icon Smuggling | Kimsuky has used the LNK icon location to execute malicious scripts. Kimsuky has also padded the LNK target field properties with extra spaces to obscure the script.19 |
| enterprise | T1027.016 | Junk Code Insertion | Kimsuky has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.19 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.31610 |
| enterprise | T1588.003 | Code Signing Certificates | Kimsuky has stolen a valid certificate that is used to sign the malware and the dropper.21 |
| enterprise | T1588.005 | Exploits | Kimsuky has obtained exploit code for various CVEs.17 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Kimsuky has gathered credentials using Mimikatz and ProcDump.5317 |
| enterprise | T1566 | Phishing | Kimsuky has used spearphishing to gain initial access and intelligence.1218 |
| enterprise | T1566.001 | Spearphishing Attachment | Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.4141520681617 Kimsuky has also distributed emails with attached compressed zip files that contained malicious .LNK files masquerading as legitimate files.19 |
| enterprise | T1566.002 | Spearphishing Link | Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.2317 |
| enterprise | T1598 | Phishing for Information | Kimsuky has used tailored spearphishing emails to gather victim information including contat lists to identify additional targets.10 |
| enterprise | T1598.003 | Spearphishing Link | Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.208179 |
| enterprise | T1057 | Process Discovery | Kimsuky can gather a list of all processes running on a victim’s machine.16 Kimsuky has also obtained running processes on the victim device utilizing PowerShell cmdlet Get-Process.19 |
| enterprise | T1055 | Process Injection | Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.14 |
| enterprise | T1055.012 | Process Hollowing | Kimsuky has used a file injector DLL to spawn a benign process on the victim’s system and inject the malicious payload into it via process hollowing.16 |
| enterprise | T1012 | Query Registry | Kimsuky has obtained specific Registry keys and values on a compromised host.16 |
| enterprise | T1620 | Reflective Code Loading | Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.10 Kimsuky has also used reflective loading through .NET assembly using [System.Reflection.Assembly]::Load.19 |
| enterprise | T1219 | Remote Access Tools | - |
| enterprise | T1219.002 | Remote Desktop Software | Kimsuky has used a modified TeamViewer client as a command and control channel.1423 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Kimsuky has used RDP for direct remote point-and-click access.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Kimsuky has downloaded additional malware with scheduled tasks.17 Kimsuky has established persistence by creating a scheduled task named “ChromeUpdateTaskMachine” through the PowerShell cmdlet Register-ScheduleTask which was set to execute another PowerShell script once, then five minutes after its creation and periodically repeat every 30 minutes.19 |
| enterprise | T1113 | Screen Capture | Kimsuky has captured browser screenshots using TRANSLATEXT.22 |
| enterprise | T1596 | Search Open Technical Databases | Kimsuky has used LLMs to better understand publicly reported vulnerabilities.1225 |
| enterprise | T1593 | Search Open Websites/Domains | Kimsuky has used LLMs to identify think tanks, government organizations, etc. that have information.12 |
| enterprise | T1593.001 | Social Media | Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.8 |
| enterprise | T1593.002 | Search Engines | Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.17 |
| enterprise | T1594 | Search Victim-Owned Websites | Kimsuky has searched for information on the target company’s website.17 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding “Dinosaur” references within the code.5 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.17 Kimsuky has also obtained details on antivirus software through WMI queries using Win32_OperatingSystem and SecurityCenter2.AntiVirusProduct.19 |
| enterprise | T1176 | Software Extensions | - |
| enterprise | T1176.001 | Browser Extensions | Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.43 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.161018 Kimsuky has also hosted malicious payloads on Dropbox.19 |
| enterprise | T1539 | Steal Web Session Cookie | Kimsuky has used malware, such as TRANSLATEXT, to steal and exfiltrate browser cookies.2221 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.1521 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Kimsuky has used mshta.exe to run malicious scripts on the system.252317 |
| enterprise | T1218.010 | Regsvr32 | Kimsuky has executed malware with regsvr32s.17 |
| enterprise | T1218.011 | Rundll32 | Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim’s network.16 |
| enterprise | T1082 | System Information Discovery | Kimsuky has enumerated OS type, OS version, and other information using a script or the “systeminfo” command.1416 Kimsuky has also obtained system information such as OS type, OS version, and system type through querying various Windows Management Instrumentation (WMI) classes including Win32_OperatingSystem.19 |
| enterprise | T1016 | System Network Configuration Discovery | Kimsuky has used ipconfig/all and web beacons sent via email to gather network configuration information.169 Kimsuky has also identified Host IP addresses leveraging the WMI class Win32_NetworkAdapterConfiguration.19 |
| enterprise | T1007 | System Service Discovery | Kimsuky has used an instrumentor script to gather the names of all services running on a victim’s system.16 |
| enterprise | T1205 | Traffic Signaling | Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.22 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Kimsuky has used tools that are capable of obtaining credentials from saved mail.3 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Kimsuky has used pass the hash for authentication to remote access software used in C2.5 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Kimsuky has lured victims into clicking malicious links.17 |
| enterprise | T1204.002 | Malicious File | Kimsuky has attempted to lure victims into opening malicious e-mail attachments.152056816 Kimsuky has also lured victims with tailored filenames and fake extensions that entice victims to open LNK files.19 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.003 | Local Accounts | Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.3 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Kimsuky has used TRANSLATEXT and a dead drop resolver to retrieve configurations and commands from a public blog site.22 |
| enterprise | T1102.002 | Bidirectional Communication | Kimsuky has used Blogspot pages and a Github repository for C2.1622 Kimsuky has also leveraged Dropbox for downloading payloads and uploading victim system information.19 |
Software
References
-
AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. ↩
-
Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. ↩↩↩↩↩
-
ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. ↩↩↩↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. ↩
-
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024. ↩↩↩↩↩↩↩↩↩
-
Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. ↩
-
Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024. ↩↩↩↩↩↩
-
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. ↩↩↩↩
-
Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. ↩↩↩↩↩↩↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. ↩↩↩↩↩↩↩↩↩
-
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. ↩↩↩↩↩
-
Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024. ↩↩↩↩↩↩↩↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩↩↩↩↩↩↩↩
-
Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020. ↩
-
OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024. ↩
-
Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024. ↩
-
AhnLab ASEC. (2024, February 16). TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group). Retrieved January 17, 2025. ↩