>samit_hota
Back to adversary profiles
G0094CriticalActive

Kimsuky (G0094): North Korea's Relentless Cyber Espionage Arm

Samit Hota·
Suspected Origin
North Korea
Motivation
Espionage, Strategic intelligence collection, Financial activity
Aliases
Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427, Springtail, Earth Kumiho, PatheticSlug
Target Sectors
Government, Defense, Think Tanks, Academia, Energy, Financial, Manufacturing, Business Services, NGOs, Media, Healthcare, Pharmaceutical, Cryptocurrency
Associated Malware
BabyShark, AppleSeed, Gold Dragon, RandomQuery, xRAT, KGH_SPY, CSPY Downloader, TruRat, HappyDoor, HttpTroy, ReconShark, ToddlerShark, Gomir, forceCopy, PebbleDash, FlowerPower
#threat-actor#g0094

Overview

Kimsuky, tracked by MITRE ATT&CK as G0094, is a highly active and persistent North Korean state-sponsored advanced persistent threat (APT) group. Operational since at least 2012, Kimsuky is attributed to the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency responsible for clandestine operations. Their core mission is cyber espionage, focused on intelligence gathering to inform Pyongyang’s foreign policy, military strategy, nuclear policy, and sanctions-related decision-making. While primarily driven by espionage, Kimsuky has also engaged in financially motivated cybercrime, including cryptocurrency theft, to self-fund operations and acquire necessary infrastructure.

Initially, Kimsuky concentrated its efforts on South Korean government entities, think tanks, academics, and nuclear power operators. Over time, their targeting scope expanded significantly to include organizations and individuals across the United States, Japan, Russia, Europe (especially NATO-tied countries), Vietnam, Thailand, and China. Their target list now encompasses a broad range of sectors including defense contractors, the United Nations Security Council, foreign policy experts, nuclear research institutions, media organizations, non-governmental organizations (NGOs), human rights groups, pharmaceutical and research companies (particularly those involved in COVID-19 therapies), cryptocurrency exchanges, financial institutions, and universities. The group has also been observed targeting specific individuals such as journalists, retired diplomats, and military officials. Kimsuky consistently refines its tactics, techniques, and procedures (TTPs), making them a persistent and adaptable threat.

Tactics & Techniques

Kimsuky’s primary initial access vector is sophisticated spear-phishing, often preceded by extensive target reconnaissance. They craft highly personalized lures based on targets’ research interests, recent publications, professional contacts, or current geopolitical events like the North Korean nuclear program or COVID-19. Impersonation is a key element, with attackers posing as journalists, academics, think tank researchers, or government officials to establish credibility.

Malicious attachments are delivered in various formats, including weaponized Microsoft Office documents (Word, Excel, HWP), Compiled HTML Help (CHM) files, and Windows Shortcut (LNK) files, often disguised within compressed ZIP archives. More recently, Kimsuky has incorporated malicious QR codes (“Quishing”) into their spear-phishing campaigns. This technique aims to bypass traditional email security controls by forcing victims to scan the code with a mobile device, leading them to attacker-controlled redirectors that harvest credentials for services like Microsoft 365, Okta, or VPN portals, and steal session tokens to bypass multi-factor authentication. The group also employs watering hole attacks, compromising websites frequented by their targets.

For execution, Kimsuky leverages legitimate system utilities and scripting languages like PowerShell, VBScript, and the Windows Command Shell (cmd.exe). They utilize mshta.exe to execute HTML Application (HTA) files, which can then download and execute additional payloads. Persistence is established through various methods, including creating scheduled tasks (e.g., “ChromeUpdateTaskMachine”), modifying registry autorun keys, and creating new services. A notable technique in recent campaigns involves deploying malicious browser extensions for Chromium-based browsers capable of form-grabbing, cookie theft, and screenshot capture.

To gain elevated privileges, Kimsuky has been observed using exploits like Win7Elevate from the Metasploit framework to bypass User Account Control (UAC) and inject malicious code into explorer.exe. Credential access is a significant focus, with the group employing tools like ProcDump for memory capture, malicious Chrome extensions, Nirsoft WebBrowserPassView/SniffPass, PowerShell-based keyloggers (e.g., MECHANICAL), and Mimikatz.

Kimsuky demonstrates considerable attention to operational security and defense evasion. They abuse legitimate cloud and web services such as Dropbox and Blogspot for command and control (C2) infrastructure, blending malicious traffic with normal web activity. Stolen web hosting credentials are used to host malicious scripts on third-party legitimate websites, complicating attribution. Obfuscation techniques like Base64 and XOR encoding are frequently applied to payloads and communications. They also disable system firewalls and Windows Security Center, and tamper with malware timestamps to thwart forensic analysis.

Command and Control (C2) communications often rely on HTTP POST requests with obfuscated data and leverage legitimate cloud services, sometimes employing OAuth token-based authentication for stealthy and dynamic channels. For reconnaissance, Kimsuky has been observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering, and identifying potential targets. Data exfiltration typically occurs via email (using auto-forwarding rules), encrypted communications to C2 servers, or legitimate cloud services like Dropbox.

Notable Campaigns

Kimsuky has a long history of high-profile operations:

  • 2014 Korea Hydro & Nuclear Power Co. Compromise: One of their earliest significant incidents, demonstrating their targeting of critical infrastructure and nuclear-related entities.
  • Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019): These campaigns highlight the group’s consistent activity and evolving tactics during that period.
  • 2019-2020 UN Security Council & US Foreign Policy Targeting: Kimsuky targeted at least eleven UN Security Council officials and US foreign policy experts, employing BabyShark-laced phishing emails.
  • 2020 US Defense Contractor Attacks: The group compromised US defense contractors to access sensitive military technologies and strategic planning documents.
  • DEEP#GOSU Campaign (Early 2024): A sophisticated multi-stage attack targeting Windows systems, where initial deceptive emails with malicious attachments led to PowerShell and VBScript execution, downloading the TruRat remote access trojan from legitimate cloud services like Dropbox.
  • TRANSLATEXT Campaign (2024): This campaign involved the deployment of a malicious browser extension to Chromium-based browsers for data theft.
  • March 2025 South Korean Cyber-Espionage: Kimsuky launched a sophisticated campaign against South Korean government agencies, defense and research institutions, critical infrastructure operators (including Korea Hydro & Nuclear Power Co.), and private sector companies (such as Hyundai Merchant Marine), leveraging PowerShell scripts and Dropbox for infiltration and data exfiltration.
  • May-June 2025 “Quishing” Campaigns: The group actively engaged in QR code phishing, spoofing foreign advisors and embassy employees in emails to target think tank leaders and senior fellows with malicious QR codes designed for credential harvesting.
  • October 2025 HttpTroy Deployment: Kimsuky was observed deploying a new backdoor, HttpTroy, against a South Korean victim, initiated via a ZIP file disguised as a VPN invoice.

Associated Malware & Tools

Kimsuky employs a diverse arsenal of custom-developed malware alongside abused legitimate and open-source tools:

  • Custom Malware:
    • BabyShark: A core initial-stage, PowerShell-based malware used for reconnaissance and establishing command-and-control. ToddlerShark is a related variant.
    • AppleSeed/AlphaSeed: Backdoors with keylogging, screenshot capture, file exfiltration, and C2 capabilities, consistently used since at least 2021.
    • Gold Dragon: A more sophisticated backdoor often deployed for persistence.
    • RandomQuery: Malware used to infiltrate systems and exfiltrate data.
    • KGH_SPY: A modular spyware suite offering reconnaissance, keylogging, information stealing, and backdoor functionalities.
    • CSPY Downloader: A stealthy tool designed to evade analysis and download additional payloads.
    • TruRat: A remote access tool with keylogging, clipboard monitoring, and data exfiltration capabilities, notably used in the DEEP#GOSU campaign.
    • HappyDoor: A backdoor first identified in 2021 and actively patched and used through 2024.
    • HttpTroy: A new backdoor observed in October 2025, providing full control over compromised systems including file operations, screenshot capture, command execution, and reverse shell capabilities.
    • ReconShark: Reconnaissance malware delivered via weaponized Office documents.
    • Gomir: A Linux backdoor, identified as a variant of the GoBear backdoor, delivered via trojanized software installers.
    • forceCopy: Malware designed to extract browser credentials.
    • PebbleDash and FlowerPower: Other malware strains utilized in their campaigns.
  • Commodity/Open-Source Tools: Kimsuky integrates commodity tools to reduce development overhead while maintaining operational flexibility. These include xRAT for remote access, keylogging, remote shell, and file management, as well as ProcDump, Mimikatz, Nirsoft’s WebBrowserPassView/SniffPass, PsExec, PHProxy, and the Metasploit framework’s Win7Elevate exploit.
  • Legitimate Services/Utilities for Abuse: Kimsuky extensively abuses legitimate services and utilities such as PowerShell, mshta.exe, cmd.exe, reg.exe, Dropbox, Blogspot, Google Chrome extensions, VK’s Mail.ru, and various compromised web servers for payload delivery, C2, and infrastructure hosting. They have also used GitHub to stage malicious browser extensions.

Current Status

Kimsuky remains one of the most active and persistent North Korean state-sponsored cyber threat groups. They are continuously evolving their tradecraft and tools, demonstrating a remarkable ability to adapt to modern security measures and evade detection.

Recent activity underscores their ongoing operations:

  • Throughout 2024, the group was active, notably with the DEEP#GOSU campaign in early 2024, the TRANSLATEXT campaign, and continuous patching and deployment of the HappyDoor backdoor. They were also observed exploiting ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) to deploy ToddlerShark.
  • In April 2024, Proofpoint reported Kimsuky’s abuse of DMARC policies to spoof personas for social engineering campaigns.
  • In March 2025, a sophisticated cyber-espionage campaign targeted critical South Korean entities, leveraging PowerShell scripts and cloud services like Dropbox for infiltration and data exfiltration.
  • Between May and June 2025, the FBI issued an alert regarding Kimsuky’s use of “Quishing” (QR code phishing) in spear-phishing campaigns targeting NGOs, think tanks, academia, and government entities with a nexus to North Korea.
  • As recently as October 2025, Kimsuky deployed a new backdoor named HttpTroy in attacks involving ZIP files disguised as VPN invoices. Furthermore, infrastructure linked to Kimsuky was identified in June 2025, showing their continued operation and use of specific hosting providers and domain patterns.

Kimsuky’s strategic use of commercial large language models (LLMs) for vulnerability research, scripting, social engineering, and reconnaissance further highlights their commitment to innovation and effectiveness. This constant adaptation, blending sophisticated social engineering with diverse malware and robust operational security, indicates that Kimsuky will continue to be a significant threat in the global cybersecurity landscape.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call