Threat Actor Profile
High APT
Description

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions. Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)

Confidence Score
90%
Known Aliases
Kimsuky Black Banshee Velvet Chollima Emerald Sleet THALLIUM APT43 TA427 Springtail
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (109)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1074.001 - Local Data Staging
Collection
T1113 - Screen Capture
Collection
T1114.002 - Remote Email Collection
Collection
T1114.003 - Email Forwarding Rule
Collection
T1185 - Browser Session Hijacking
Collection
T1560.001 - Archive via Utility
Collection
T1560.003 - Archive via Custom Method
Collection
T1071.001 - Web Protocols
Command and Control
T1071.002 - File Transfer Protocols
Command and Control
T1071.003 - Mail Protocols
Command and Control
T1102.001 - Dead Drop Resolver
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219.002 - Remote Desktop Software
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1040 - Network Sniffing
Credential Access
T1111 - Multi-Factor Authentication Interception
Credential Access
T1539 - Steal Web Session Cookie
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1557 - Adversary-in-the-Middle
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.001 - Binary Padding
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1027.012 - LNK Icon Smuggling
Defense Evasion
T1027.016 - Junk Code Insertion
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1036.007 - Double File Extension
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1055.012 - Process Hollowing
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.006 - Timestomp
Defense Evasion
T1078.003 - Local Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1205 - Traffic Signaling
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.002 - Hidden Users
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1620 - Reflective Code Loading
Defense Evasion
T1656 - Impersonation
Defense Evasion
T1007 - System Service Discovery
Discovery
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1657 - Financial Theft
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1566 - Phishing
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1534 - Internal Spearphishing
Lateral Movement
T1098.007 - Additional Local or Domain Groups
Persistence
T1133 - External Remote Services
Persistence
T1136.001 - Local Account
Persistence
T1176.001 - Browser Extensions
Persistence
T1505.003 - Web Shell
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1546.001 - Change Default File Association
Privilege Escalation
T1589.002 - Email Addresses
Reconnaissance
T1589.003 - Employee Names
Reconnaissance
T1591 - Gather Victim Org Information
Reconnaissance
T1593 - Search Open Websites/Domains
Reconnaissance
T1593.001 - Social Media
Reconnaissance
T1593.002 - Search Engines
Reconnaissance
T1594 - Search Victim-Owned Websites
Reconnaissance
T1596 - Search Open Technical Databases
Reconnaissance
T1598 - Phishing for Information
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1583 - Acquire Infrastructure
Resource Development
T1583.001 - Domains
Resource Development
T1583.004 - Server
Resource Development
T1583.006 - Web Services
Resource Development
T1584.001 - Domains
Resource Development
T1585 - Establish Accounts
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1586.002 - Email Accounts
Resource Development
T1587 - Develop Capabilities
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1588.003 - Code Signing Certificates
Resource Development
T1588.005 - Exploits
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Kimsuky',
             'Black Banshee',
             'Velvet Chollima',
             'Emerald Sleet',
             'THALLIUM',
             'APT43',
             'TA427',
             'Springtail'],
 'created': '2019-08-26T15:03:02.577Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Kimsuky](https://attack.mitre.org/groups/G0094) is a North '
                'Korea-based cyber espionage group that has been active since '
                'at least 2012. The group initially targeted South Korean '
                'government agencies, think tanks, and subject-matter experts '
                'in various fields. Its operations expanded to include the '
                'United Nations and organizations in the government, '
                'education, business services, and manufacturing sectors '
                'across the United States, Japan, Russia, and Europe. '
                '[Kimsuky](https://attack.mitre.org/groups/G0094) has focused '
                'collection on foreign policy and national security issues '
                'tied to the Korean Peninsula, nuclear policy, and sanctions. '
                'Its operations have overlapped with other DPRK actors, likely '
                'due to ad hoc collaboration or limited resource '
                'sharing.(Citation: EST Kimsuky April 2019)(Citation: '
                'Cybereason Kimsuky November 2020)(Citation: Malwarebytes '
                'Kimsuky June 2021)(Citation: CISA AA20-301A '
                'Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: '
                'Proofpoint TA427 April 2024) Because of overlapping '
                'operations, some researchers group a wide range of North '
                'Korean state-sponsored cyber activity under the broader '
                '[Lazarus Group](https://attack.mitre.org/groups/G0032) '
                'umbrella rather than tracking separate subgroup or cluster '
                'distinctions.\n'
                '\n'
                '[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed '
                'to be responsible for the 2014 Korea Hydro & Nuclear Power '
                'Co. compromise; other notable campaigns include Operation '
                'STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and '
                'Operation Smoke Screen (2019).(Citation: Netscout Stolen '
                'Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April '
                '2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n'
                '\n'
                'In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was '
                'observed using commercial large language models to assist '
                'with vulnerability research, scripting, social engineering '
                'and reconnaissance.(Citation: MSFT-AI)',
 'external_references': [{'external_id': 'G0094',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0094'},
                         {'description': '(Citation: Cybereason Kimsuky '
                                         'November 2020)(Citation: '
                                         'Malwarebytes Kimsuky June 2021)',
                          'source_name': 'Black Banshee'},
                         {'description': '(Citation: Cybereason Kimsuky '
                                         'November 2020)(Citation: '
                                         'Malwarebytes Kimsuky June '
                                         '2021)(Citation: Mandiant APT43 March '
                                         '2024)(Citation: Proofpoint TA427 '
                                         'April 2024)',
                          'source_name': 'THALLIUM'},
                         {'description': '(Citation: Mandiant APT43 March '
                                         '2024)(Citation: Proofpoint TA427 '
                                         'April 2024)',
                          'source_name': 'APT43'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)(Citation: '
                                         'Proofpoint TA427 April 2024)',
                          'source_name': 'Emerald Sleet'},
                         {'description': '(Citation: Proofpoint TA427 April '
                                         '2024)',
                          'source_name': 'TA427'},
                         {'description': '(Citation: Securelist Kimsuky Sept '
                                         '2013)(Citation: Malwarebytes Kimsuky '
                                         'June 2021)',
                          'source_name': 'Kimsuky'},
                         {'description': '(Citation: Symantec Troll Stealer '
                                         '2024)',
                          'source_name': 'Springtail'},
                         {'description': '(Citation: Zdnet Kimsuky Dec '
                                         '2018)(Citation: ThreatConnect '
                                         'Kimsuky September 2020)(Citation: '
                                         'Malwarebytes Kimsuky June 2021)',
                          'source_name': 'Velvet Chollima'},
                         {'description': 'AhnLab. (2019, February 28). '
                                         'Operation Kabar Cobra - Tenacious '
                                         'cyber-espionage campaign by Kimsuky '
                                         'Group. Retrieved September 29, 2021.',
                          'source_name': 'AhnLab Kimsuky Kabar Cobra Feb 2019',
                          'url': 'https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf'},
                         {'description': 'Alyac. (2019, April 3). Kimsuky '
                                         'Organization Steals Operation '
                                         'Stealth Power. Retrieved August 13, '
                                         '2019.',
                          'source_name': 'EST Kimsuky April 2019',
                          'url': 'https://blog.alyac.co.kr/2234'},
                         {'description': 'ASERT team. (2018, December 5). '
                                         'STOLEN PENCIL Campaign Targets '
                                         'Academia. Retrieved February 5, '
                                         '2019.',
                          'source_name': 'Netscout Stolen Pencil Dec 2018',
                          'url': 'https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/'},
                         {'description': 'Cimpanu, C.. (2018, December 5). '
                                         'Cyber-espionage group uses Chrome '
                                         'extension to infect victims. '
                                         'Retrieved August 26, 2019.',
                          'source_name': 'Zdnet Kimsuky Dec 2018',
                          'url': 'https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/'},
                         {'description': 'CISA, FBI, CNMF. (2020, October 27). '
                                         'https://us-cert.cisa.gov/ncas/alerts/aa20-301a. '
                                         'Retrieved November 4, 2020.',
                          'source_name': 'CISA AA20-301A Kimsuky',
                          'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-301a'},
                         {'description': 'Dahan, A. et al. (2020, November 2). '
                                         'Back to the Future: Inside the '
                                         'Kimsuky KGH Spyware Suite. Retrieved '
                                         'November 6, 2020.',
                          'source_name': 'Cybereason Kimsuky November 2020',
                          'url': 'https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite'},
                         {'description': 'ESTSecurity. (2019, April 17). '
                                         'Analysis of the APT Campaign ‘Smoke '
                                         'Screen’ targeting to Korea and US  '
                                         '출처: https://blog.alyac.co.kr/2243 '
                                         '[이스트시큐리티 알약 블로그]. Retrieved '
                                         'September 29, 2021.',
                          'source_name': 'EST Kimsuky SmokeScreen April 2019',
                          'url': 'https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf'},
                         {'description': 'Jazi, H. (2021, June 1). Kimsuky APT '
                                         'continues to target South Korean '
                                         'government using AppleSeed backdoor. '
                                         'Retrieved June 10, 2021.',
                          'source_name': 'Malwarebytes Kimsuky June 2021',
                          'url': 'https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/'},
                         {'description': 'Lesnewich, G. et al. (2024, April '
                                         '16). From Social Engineering to '
                                         'DMARC Abuse: TA427’s Art of '
                                         'Information Gathering. Retrieved May '
                                         '3, 2024.',
                          'source_name': 'Proofpoint TA427 April 2024',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering'},
                         {'description': 'Mandiant. (2024, March 14). APT43: '
                                         'North Korean Group Uses Cybercrime '
                                         'to Fund Espionage Operations. '
                                         'Retrieved May 3, 2024.',
                          'source_name': 'Mandiant APT43 March 2024',
                          'url': 'https://services.google.com/fh/files/misc/apt43-report-en.pdf'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2024, February 14). Staying ahead '
                                         'of threat actors in the age of AI. '
                                         'Retrieved March 11, 2024.',
                          'source_name': 'MSFT-AI',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/'},
                         {'description': 'Symantec Threat Hunter Team. (2024, '
                                         'May 16). Springtail: New Linux '
                                         'Backdoor Added to Toolkit. Retrieved '
                                         'January 17, 2025.',
                          'source_name': 'Symantec Troll Stealer 2024',
                          'url': 'https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage'},
                         {'description': 'Tarakanov , D.. (2013, September '
                                         '11). The “Kimsuky” Operation: A '
                                         'North Korean APT?. Retrieved August '
                                         '13, 2019.',
                          'source_name': 'Securelist Kimsuky Sept 2013',
                          'url': 'https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/'},
                         {'description': 'ThreatConnect. (2020, September 28). '
                                         'Kimsuky Phishing Operations Putting '
                                         'In Work. Retrieved October 30, 2020.',
                          'source_name': 'ThreatConnect Kimsuky September 2020',
                          'url': 'https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/'}],
 'id': 'intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f',
 'modified': '2025-11-12T18:55:12.319Z',
 'name': 'Kimsuky',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Taewoo Lee, KISA',
                          'Dongwook Kim, KISA',
                          'Jaesang Oh, KC7 Foundation',
                          'Wai Linn Oo @ Kernellix'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '5.1'}
Quick Actions
Related TTPs (109)
Data from Local System
Collection
Keylogging
Collection
Local Data Staging
Collection
Screen Capture
Collection
Remote Email Collection
Collection
View All 109 TTPs
Back to Threat Actors
Dashboard Home