Who is Kimsuky?
Kimsuky is a skilled cyberespionage group linked to North Korea. Active since at least 2012, the group’s main goal is intelligence gathering. They gather information on foreign policy and national security for the North Korean state.
Their primary targets are in South Korea, Japan, and the United States. They focus on government agencies, diplomats, and think tanks. Their persistent and targeted campaigns make them a significant global threat.
Common Tactics and Tools
Kimsuky’s main entry point is highly targeted spear-phishing. The group crafts convincing emails, often impersonating journalists or academics. These emails contain malicious links or attachments.
The group uses a range of custom malware to maintain access and steal information.
- BabyShark: A downloader often delivered in the initial phishing email. It establishes a foothold and then downloads other malicious payloads.
- AppleSeed: A custom backdoor for Windows. It allows attackers to exfiltrate files, log keystrokes, and capture screenshots.
- Custom RATs: The group builds and deploys various Remote Access Trojans (RATs) to maintain long-term control over compromised systems.
How to Defend Against Kimsuky
Defense against Kimsuky requires strong email security and a focus on detecting their custom malware.
- Enhance email security: Use advanced email gateways to scan for and block malicious attachments and links. Train users to spot and report spear-phishing attempts.
- Prioritize software patching: Keep operating systems and common software, like Microsoft Office, fully patched to close the security holes Kimsuky uses.
- Utilize endpoint protection: Use endpoint security to detect and respond to the specific behaviors of malware like AppleSeed and other RATs.
- Adopt an Assume Breach mindset: Attackers are becoming adept at bypassing endpoint security. Strong network security is vital. Use Network Detection and Response (NDR), like Lumu Defender, to monitor traffic and detect C2 communications and data exfiltration.



