Live Training | What's New in Lumu Defender

Already have an account? Sign in

Sign in

Group

G0094

Kimsuky

Aliases

Thallium, Velvet Chollima, APT43

Type

State-sponsored cyberespionage group

Target

Diplomatic Missions, Government, Media, Military, Think Tanks

Malware

BabyShark, AppleSeed, various custom RATs

Country

North Korea North Korea

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Who is Kimsuky?

Kimsuky is a skilled cyberespionage group linked to North Korea. Active since at least 2012, the group’s main goal is intelligence gathering. They gather information on foreign policy and national security for the North Korean state.

Their primary targets are in South Korea, Japan, and the United States. They focus on government agencies, diplomats, and think tanks. Their persistent and targeted campaigns make them a significant global threat.

Common Tactics and Tools

Kimsuky’s main entry point is highly targeted spear-phishing. The group crafts convincing emails, often impersonating journalists or academics. These emails contain malicious links or attachments.

The group uses a range of custom malware to maintain access and steal information.

  • BabyShark: A downloader often delivered in the initial phishing email. It establishes a foothold and then downloads other malicious payloads.
  • AppleSeed: A custom backdoor for Windows. It allows attackers to exfiltrate files, log keystrokes, and capture screenshots.
  • Custom RATs: The group builds and deploys various Remote Access Trojans (RATs) to maintain long-term control over compromised systems.

How to Defend Against Kimsuky

Defense against Kimsuky requires strong email security and a focus on detecting their custom malware.

  • Enhance email security: Use advanced email gateways to scan for and block malicious attachments and links. Train users to spot and report spear-phishing attempts.
  • Prioritize software patching: Keep operating systems and common software, like Microsoft Office, fully patched to close the security holes Kimsuky uses.
  • Utilize endpoint protection: Use endpoint security to detect and respond to the specific behaviors of malware like AppleSeed and other RATs.
  • Adopt an Assume Breach mindset: Attackers are becoming adept at bypassing endpoint security. Strong network security is vital. Use Network Detection and Response (NDR), like Lumu Defender, to monitor traffic and detect C2 communications and data exfiltration.

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.