Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Kimsuky has added accounts to specific groups with
|Enterprise||T1583||.001||Acquire Infrastructure: Domains||
Kimsuky has registered domains to spoof targeted organizations and trusted third parties.
|.004||Acquire Infrastructure: Server||
Kimsuky has purchased hosting servers with virtual currency and prepaid cards.
|.006||Acquire Infrastructure: Web Services||
Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.
Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|.002||Application Layer Protocol: File Transfer Protocols||
Kimsuky has used FTP to download additional malware to the target machine.
|.003||Application Layer Protocol: Mail Protocols||
Kimsuky has used e-mail to send exfiltrated data to C2 servers.
|Enterprise||T1560||.001||Archive Collected Data: Archive via Utility||
Kimsuky has used QuickZip to archive stolen files before exfiltration.
|.003||Archive Collected Data: Archive via Custom Method|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Kimsuky has placed scripts in the startup folder for persistence and modified the
Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
Kimsuky has executed a variety of PowerShell scripts.
|.003||Command and Scripting Interpreter: Windows Command Shell||
Kimsuky has executed Windows commands by using
|.005||Command and Scripting Interpreter: Visual Basic||
Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.
|.006||Command and Scripting Interpreter: Python||
Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.
Kimsuky has used JScript for logging and downloading additional tools.
|Enterprise||T1586||.002||Compromise Accounts: Email Accounts||
Kimsuky has compromised email accounts to send spearphishing e-mails.
|Enterprise||T1584||.001||Compromise Infrastructure: Domains||
Kimsuky has compromised legitimate sites and used them to distribute malware.
|Enterprise||T1136||.001||Create Account: Local Account|
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service|
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.
|Enterprise||T1005||Data from Local System||
Kimsuky has collected Office, PDF, and HWP documents from its victims.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
Kimsuky has staged collected data files under
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
Kimsuky created and used a mailing toolkit to use in spearphishing attacks.
Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.
|Enterprise||T1114||.002||Email Collection: Remote Email Collection||
Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.
|.003||Email Collection: Email Forwarding Rule||
Kimsuky has set auto-forward rules on victim's e-mail accounts.
|Enterprise||T1585||.001||Establish Accounts: Social Media Accounts||
Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.
|.002||Establish Accounts: Email Accounts||
Kimsuky has created email accounts for phishing operations.
|Enterprise||T1546||.001||Event Triggered Execution: Change Default File Association||
Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.
|Enterprise||T1041||Exfiltration Over C2 Channel|
|Enterprise||T1567||.002||Exfiltration Over Web Service: Exfiltration to Cloud Storage||
Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.
|Enterprise||T1190||Exploit Public-Facing Application||
Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.
|Enterprise||T1133||External Remote Services|
|Enterprise||T1083||File and Directory Discovery||
Kimsuky has the ability to enumerate all files and directories on an infected system.
|Enterprise||T1589||.002||Gather Victim Identity Information: Email Addresses||
Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.
|.003||Gather Victim Identity Information: Employee Names|
|Enterprise||T1591||Gather Victim Org Information||
Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.
|Enterprise||T1564||.002||Hide Artifacts: Hidden Users||
Kimsuky has run
|.003||Hide Artifacts: Hidden Window||
Kimsuky has used an information gathering module that will hide an AV software window from the victim.
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.
|.004||Impair Defenses: Disable or Modify System Firewall||
Kimsuky has been observed disabling the system firewall.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.
|.006||Indicator Removal: Timestomp||
Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.
|Enterprise||T1105||Ingress Tool Transfer||
Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.
|Enterprise||T1056||.001||Input Capture: Keylogging||
Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.
Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.
Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.
|.004||Masquerade Task or Service||
Kimsuky has disguised services to appear as benign software or related to operating system functions.
|.005||Match Legitimate Name or Location||
Kimsuky has renamed malware to legitimate names such as
Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.
|Enterprise||T1111||Multi-Factor Authentication Interception||
Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.
Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.
|Enterprise||T1027||Obfuscated Files or Information||
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding. Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.
|Enterprise||T1588||.002||Obtain Capabilities: Tool||
Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.
|.005||Obtain Capabilities: Exploits|
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory||
Kimsuky has gathered credentials using Mimikatz and ProcDump.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.
|.002||Phishing: Spearphishing Link||
Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.
|Enterprise||T1598||.003||Phishing for Information: Spearphishing Link||
Kimsuky has used links in e-mail to steal account information.
Kimsuky can gather a list of all processes running on a victim's machine.
Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.
Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.
Kimsuky has obtained specific Registry keys and values on a compromised host.
|Enterprise||T1219||Remote Access Software||
Kimsuky has used a modified TeamViewer client as a command and control channel.
|Enterprise||T1021||.001||Remote Services: Remote Desktop Protocol||
Kimsuky has used RDP for direct remote point-and-click access.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
Kimsuky has downloaded additional malware with scheduled tasks.
|Enterprise||T1593||.001||Search Open Websites/Domains: Social Media||
Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.
|.002||Search Open Websites/Domains: Search Engines||
Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.
|Enterprise||T1594||Search Victim-Owned Websites||
Kimsuky has searched for information on the target company's website.
|Enterprise||T1505||.003||Server Software Component: Web Shell||
Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
Kimsuky has checked for the presence of antivirus software with
|Enterprise||T1608||.001||Stage Capabilities: Upload Malware||
Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.
|Enterprise||T1553||.002||Subvert Trust Controls: Code Signing|
|Enterprise||T1218||.005||System Binary Proxy Execution: Mshta||
Kimsuky has used mshta.exe to run malicious scripts on the system.
|.010||System Binary Proxy Execution: Regsvr32|
|.011||System Binary Proxy Execution: Rundll32||
Kimsuky has used
|Enterprise||T1082||System Information Discovery||
Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.
|Enterprise||T1016||System Network Configuration Discovery||
Kimsuky has used
|Enterprise||T1007||System Service Discovery||
Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.
|Enterprise||T1552||.001||Unsecured Credentials: Credentials In Files||
Kimsuky has used tools that are capable of obtaining credentials from saved mail.
|Enterprise||T1550||.002||Use Alternate Authentication Material: Pass the Hash||
Kimsuky has used pass the hash for authentication to remote access software used in C2.
|Enterprise||T1204||.001||User Execution: Malicious Link||
Kimsuky has lured victims into clicking malicious links.
|.002||User Execution: Malicious File||
Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.
|Enterprise||T1078||.003||Valid Accounts: Local Accounts||
Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.
|Enterprise||T1102||.002||Web Service: Bidirectional Communication|
|S0414||BabyShark||||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery|
|S0252||Brave Prince||||Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Process Discovery, Query Registry, System Information Discovery, System Network Configuration Discovery|
|S0527||CSPY Downloader||||Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Indicator Removal, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Modify Registry, Obfuscated Files or Information: Software Packing, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks|
|S0249||Gold Dragon||||Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Process Discovery, Query Registry, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery|
|S0526||KGH_SPY||||Application Layer Protocol: Web Protocols, Boot or Logon Initialization Scripts: Logon Script (Windows), Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Software Discovery, System Information Discovery, User Execution: Malicious File|
|S0002||Mimikatz||||Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Ticket, Use Alternate Authentication Material: Pass the Hash|
|S0353||NOKKI||||Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery|
|S0029||PsExec||||Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution|
|S0111||schtasks||||Scheduled Task/Job: Scheduled Task|