Self Assessment

N. Korean Hacking Group, Kimsuky, Escalates Attacks

Published On : 2020-12-16
Share :
N. Korean Hacking Group, Kimsuky, Escalates Attacks

Kimsuky (aka Velvet Chollima, Black Banshee, and Thallium) is a known N. Korean state-sponsored threat actor. The group has been active since 2012 and targeting businesses and individuals with new phishing themes.

It has a history of launching attacks around the world including Japan, the United States, Russia, and European nations.

Kimsuky operatives specialize in stealing intelligence secrets from the U.S. and its closest allies in Asia, such as Japan and South Korea. In recent campaigns, Kimsuky’s primary target is been observed to be pharmaceuticals firms.

Threat Actor Profile 

Kimsuky is a North Korean-based threat group that has been active since at least 2012. This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes. Also responsible for launching a spear-phishing campaign targeting UN officials, including those affiliated with the UN Security Council. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise (2014).

Target Industry:

Education and Academic Organizations, Energy, Think Tanks, Ministry of Unification, Pharmaceutical and Research Institutes, Military, Media.

Target Countries:

Japan, Europe, USA, South Korea, Russia


Information theft and Espionage

Attack Methods:

Kimsuky employs common social engineering tactics, spear phishing, and watering hole attacks to exfiltrate desired information from victims.

TTPs of Kimsuky APT

Spear phishing with a malicious attachment embedded in the email—is the most observed Kimsuky tactic to obtain Initial Access to victim networks. It has used emails containing Word, Excel, and/or HWP (Hangul Word Processor) documents in their spear-phishing campaigns.

PowerShell or the Windows Command Shell for Execution– Kimsuky has executed a variety of PowerShell scripts to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory. Kimsuky also uses Visual Basic Script (VBS)-based malware BabyShark.

For gaining Persistence, Kimsuky has been known to use malicious browser extensions, modifying system processes, manipulating the autostart execution.

A list of methods used by Kimsuky for Privilege Escalation is placing scripts in the Startup folder, creating, and running new services, changing default file associations. Kimsuky has used Win7Elevate to inject malicious code into explorer.exe (Process Injection).

Disabling the system firewall and deleting the exfiltrated data on disk after transmission to its C2 server are the two methods used by Kimsuky for Indicator Removal on Host i.e. Defense Evasion.

Kimsuky has used a PowerShell-based keylogger and legitimate tools and network sniffers to harvest credentials from web browsers.

Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server.

Use of Remote Access Software: Kimsuky has used a modified TeamViewer client (version 5.0.9104) as a command and control channel.

To download this report, email [email protected]



This site is registered on as a development site. Switch to a production site key to remove this banner.