Threat Actor Profile
Kimsuky
Kimsuky (aka "Velvet Chollima" or "Sparkling Pisces") is a North Korean advanced persistent threat (APT) group believed to have been active since around 2012. Known for cyber-espionage operations, Kimsuky primarily targets government entities, think tanks, and media organizations across the United States, Europe, and South Korea. Their arsenal includes spear-phishing campaigns, malware, and sophisticated social engineering tactics.
Threat Actor Profile
Kimsuky
Country of Origin
Kimsuky is attributed to North Korea. The group operates under the direction of North Korea's reconnaissance organization, making it strongly tied to the nation-state's cyber operations.
Members
The exact size and composition of Kimsuky remain unclear. Reports suggest it is a small and highly-specialized unit focused on espionage. They often operate under aliases and use proxies to obfuscate their identities and connections to North Korea.
Leadership
Specific individuals leading Kimsuky remain unknown. However, the group is believed to function under directives from North Korea’s General Reconnaissance Bureau, a key player in the nation’s cyber and military intelligence efforts.
Kimsuky TTPs
Tactics
Kimsuky primarily focuses on espionage, targeting geopolitical and military intelligence. Their goals include stealing sensitive information, monitoring communications, and gathering strategic intelligence to support North Korea's interests.
Techniques
The group relies heavily on spear-phishing emails crafted to impersonate legitimate entities. Once gaining access, they deploy customized malware and keyloggers for data theft. Social engineering plays a big role in their approach, tricking victims into divulging credentials or clicking malicious links.
Procedures
Kimsuky has been linked to malware like "BabyShark" and "AppleSeed," alongside using tailored backdoor variants. They frequently use compromised websites and malicious LNK files to execute attacks. Keyloggers have also been observed in their toolbox, enabling data exfiltration from victims.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One of their most significant campaigns involved targeting think tanks in South Korea with BabyShark malware. They’ve also been observed attacking U.S.-based organizations to steal national security information and infiltrating European entities with keylogger-based espionage campaigns.
Law Enforcement & Arrests
To date, no arrests have been publicly reported regarding Kimsuky members. Global cybersecurity firms and government entities continue to monitor the group’s activity to mitigate threats and attribute actions to North Korea.
How to Defend Against
Implement Multi-Factor Authentication (MFA) to reduce credential compromise risks.
Train employees on recognizing phishing attempts and social engineering tactics.
Use Endpoint Detection and Response (EDR) to detect and block malware variants like BabyShark.
Monitor network traffic for suspicious communication with known Kimsuky infrastructure.
Leverage Huntress tools to identify signs of Kimsuky IoCs and provide real-time threat intelligence.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
