Skip to content


KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing “KGH”.1

Item Value
ID S0526
Associated Names
Version 1.0
Created 06 November 2020
Last Modified 22 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols KGH_SPY can send data to C2 with HTTP POST requests.1
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell KGH_SPY can execute PowerShell commands on the victim’s machine.1
enterprise T1059.003 Windows Command Shell KGH_SPY has the ability to set a Registry key to run a cmd.exe command.1
enterprise T1555 Credentials from Password Stores KGH_SPY can collect credentials from WINSCP.1
enterprise T1555.003 Credentials from Web Browsers KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.1
enterprise T1555.004 Windows Credential Manager KGH_SPY can collect credentials from the Windows Credential Manager.1
enterprise T1005 Data from Local System KGH_SPY can send a file containing victim system information to C2.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging KGH_SPY can save collected system information to a file named “info” before exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information KGH_SPY can decrypt encrypted strings and write them to a newly created folder.1
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection KGH_SPY can harvest data from mail clients.1
enterprise T1041 Exfiltration Over C2 Channel KGH_SPY can exfiltrate collected information from the host to the C2 server.1
enterprise T1083 File and Directory Discovery KGH_SPY can enumerate files and directories on a compromised host.1
enterprise T1105 Ingress Tool Transfer KGH_SPY has the ability to download and execute code from remote servers.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location KGH_SPY has masqueraded as a legitimate Windows tool.1
enterprise T1027 Obfuscated Files or Information KGH_SPY has used encrypted strings in its installer.1
enterprise T1518 Software Discovery KGH_SPY can collect information on installed applications.1
enterprise T1082 System Information Discovery KGH_SPY can collect drive information from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File KGH_SPY has been spread through Word documents containing malicious macros.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 1