3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Kimsuky

Kimsuky

ID: a164d37e74e4fd8bbdd2729f1f99831297230
Cybercrime State-Sponsored
Threat types: Surveillance, Intrusion, Espionage
North Korea UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
APT43 Black Banshee Em*********** Sp********
T**** TH****** Ve*************
Showing 2 of 7 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing. Ref: https://attack.mitre.org/groups/G0094/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Kimsuky has gathered credentials using Mimikatz and ProcDump. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Kimsuky has used RDP for direct remote point-and-click access. · ref
T1027.002 Software Packing TA0005
  • Software Packing - Kimsuky has packed malware with UPX. · ref
T1036.004 Masquerade Task or Service TA0005
  • Masquerading: Masquerade Task or Service - Kimsuky has disguised services to appear as benign software or related to operating system functions. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Kimsuky has downloaded additional malware with scheduled tasks. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • Process Hollowing - Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing. · ref
T1056.001 Keylogging TA0006 TA0009
  • Input Capture: Keylogging - Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Kimsuky has executed Windows commands by using cmd and running batch scripts. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure. · ref
T1059.006 Python TA0002
  • Command and Scripting Interpreter: Python - Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Kimsuky has used JScript for logging and downloading additional tools. Kimsuky has used TRANSLATEXT, which contained four Javascript files for bypassing defenses, collecting sensitive information and screenshots, and exfiltrating data. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk. · ref
T1070.006 Timestomp TA0005
  • Indicator Removal: Timestomp - Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Kimsuky has used HTTP GET and POST requests for C2. · ref
T1071.002 File Transfer Protocols TA0011
  • Application Layer Protocol: File Transfer Protocols - Kimsuky has used FTP to download additional malware to the target machine. · ref
T1071.003 Mail Protocols TA0011
  • Application Layer Protocol: Mail Protocols - Kimsuky has used e-mail to send exfiltrated data to C2 servers. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\. · ref
T1078.003 Local Accounts TA0001 TA0003 TA0004 TA0005
  • Valid Accounts: Local Accounts - Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP. · ref
T1098.007 Additional Local or Domain Groups TA0003 TA0004
  • Account Manipulation: Additional Local or Domain Groups - Kimsuky has added accounts to specific groups with net localgroup. · ref
T1102.001 Dead Drop Resolver TA0011
  • Web Service: Dead Drop Resolver - Kimsuky has used TRANSLATEXT and a dead drop resolver to retrieve configurations and commands from a public blog site. · ref
T1102.002 Bidirectional Communication TA0011
  • Web Service: Bidirectional Communication - Kimsuky has used Blogspot pages and a Github repository for C2. · ref
T1114.002 Remote Email Collection TA0009
  • Email Collection: Remote Email Collection - Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP. · ref
T1114.003 Email Forwarding Rule TA0009
  • Email Collection: Email Forwarding Rule - Kimsuky has set auto-forward rules on victim's e-mail accounts. · ref
T1136.001 Local Account TA0003
  • Create Account: Local Account - Kimsuky has created accounts with net user. · ref
T1176.001 Browser Extensions TA0003
  • Software Extensions: Browser Extensions - Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Kimsuky has lured victims into clicking malicious links. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Kimsuky has used attempted to lure victims into opening malicious e-mail attachments. · ref
T1218.005 Mshta TA0005
  • System Binary Proxy Execution: Mshta - Kimsuky has used mshta.exe to run malicious scripts on the system. · ref
T1218.010 Regsvr32 TA0005
  • System Binary Proxy Execution: Regsvr32 - Kimsuky has executed malware with regsvr32s. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim's network. · ref
T1219.002 Remote Desktop Software TA0011
  • Remote Access Tools: Remote Desktop Software - Kimsuky has used a modified TeamViewer client as a command and control channel. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - Kimsuky has created new services for persistence. · ref
T1546.001 Change Default File Association TA0003 TA0004
  • Event Triggered Execution: Change Default File Association - Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key. · ref
T1550.002 Pass the Hash TA0005 TA0008
  • Use Alternate Authentication Material: Pass the Hash - Kimsuky has used pass the hash for authentication to remote access software used in C2. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - Kimsuky has used tools that are capable of obtaining credentials from saved mail. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Password Stores: Credentials from Web Browsers - Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - Kimsuky has used QuickZip to archive stolen files before exfiltration. · ref
T1560.003 Archive via Custom Method TA0009
  • Archive Collected Data: Archive via Custom Method - Kimsuky has used RC4 encryption before exfil. · ref
T1562.001 Disable or Modify Tools TA0005
  • Impair Defenses: Disable or Modify Tools - Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user. · ref
T1562.004 Disable or Modify System Firewall TA0005
  • Impair Defenses: Disable or Modify System Firewall - Kimsuky has been observed disabling the system firewall. · ref
T1564.002 Hidden Users TA0005
  • Hide Artifacts: Hidden Users - Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user. · ref
T1564.003 Hidden Window TA0005
  • Hide Artifacts: Hidden Window - Kimsuky has used an information gathering module that will hide an AV software window from the victim. · ref
T1566.001 Spearphishing Attachment TA0001
  • Spearphishing Attachment - Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns. · ref
T1566.002 Spearphishing Link TA0001
  • Spearphishing Link - Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage - Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts. · ref
T1583.001 Domains TA0042
  • Domains - Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges. · ref
T1583.004 Server TA0042
  • Server - Kimsuky has purchased hosting servers with virtual currency and prepaid cards. · ref
T1583.006 Web Services TA0042
  • Web Services - Kimsuky has hosted content used for targeting efforts via web services such as Blogspot. · ref
T1584.001 Domains TA0042
  • Compromise Infrastructure: Domains - Kimsuky has compromised legitimate sites and used them to distribute malware. · ref
T1585.001 Social Media Accounts TA0042
  • Social Media Accounts - Kimsuky has created social media accounts to monitor news and security trends as well as potential targets. · ref
T1585.002 Email Accounts TA0042
  • Email Accounts - Kimsuky has created email accounts for phishing operations. · ref
T1586.002 Email Accounts TA0042
  • Compromise Accounts: Email Accounts - Kimsuky has compromised email accounts to send spearphishing e-mails. · ref
T1587.001 Malware TA0042
  • Malware - Kimsuky has developed its own unique malware such as MailFetch.py for use in operations. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec. · ref
T1588.003 Code Signing Certificates TA0042
  • Obtain Capabilities: Code Signing Certificates - Kimsuky has stolen a valid certificate that is used to sign the malware and the dropper. · ref
T1588.005 Exploits TA0042
  • Obtain Capabilities: Exploits - Kimsuky has obtained exploit code for various CVEs. · ref
T1589.002 Email Addresses TA0043
  • Gather Victim Identity Information: Email Addresses - Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering. · ref
T1589.003 Employee Names TA0043
  • Gather Victim Identity Information: Employee Names - Kimsuky has collected victim employee name information. · ref
T1593.001 Social Media TA0043
  • Social Media - Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails. · ref
T1593.002 Search Engines TA0043
  • Search Engines - Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims. · ref
T1598.003 Spearphishing Link TA0043
  • Spearphishing Link - Kimsuky has used links in e-mail to steal account information including web beacons for target profiling. · ref
T1608.001 Upload Malware TA0042
  • Stage Capabilities: Upload Malware - Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.