Kimsuky

Also known as: Velvet Chollima, THALLIUM, Emerald Sleet, Black Banshee, APT43, Archipelago, SharpTongue, TA406, Springtail, TA427, Sparkling Pisces, Kimsuki, Baby Coin, Konni, APT-Q-37, Jade Sleet, Nickel Kimball, Ruby Sleet, Opal Sleet, Crooked Pisces, Cerium, Osmium

ActiveAdvancedNorth KoreaMITRE G0094

0Campaigns

108Techniques

62IOCs

38Tools

0Matches

6Infrastructure

Overview

Kimsuky is a North Korean state-sponsored cyber espionage group active since at least 2012, assessed to operate under the Reconnaissance General Bureau (RGB). The group primarily focuses on intelligence collection targeting South Korean government entities, think tanks, academic institutions, and individuals involved in Korean Peninsula geopolitics, nuclear policy, and sanctions. Kimsuky is known for its extensive social engineering operations, often impersonating journalists, academics, or think tank personnel to build rapport with targets before delivering malware. The group conducts sophisticated spear-phishing campaigns using meticulously crafted lures related to North Korean policy, denuclearization, and inter-Korean relations. The group has expanded its targeting beyond South Korea to include the United States, Japan, and European countries. Kimsuky frequently abuses legitimate cloud services (Google Drive, OneDrive, Dropbox) for command and control, and has developed a diverse malware toolkit including reconnaissance tools, keyloggers, and credential stealers.

Motivations

EspionageIntelligence CollectionCredential Theft

Target Sectors

GovernmentThink TanksAcademiaDefenseNuclear PolicyJournalismDiplomacyNon-Governmental OrganizationsStrategic Advisory FirmsCryptocurrency FirmsMedia OrganizationsMediaAerospaceCryptocurrencyEducationResearchResearch InstitutesAcademic InstitutionsHealthcareResearch InstitutionsUniversitiesDefense IndustryDiplomatic EntitiesDefense Industrial Base

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginNorth Korea

Sophisticationadvanced

StatusActive

MITRE GroupG0094

MITRE ATT&CK Techniques

(108)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Reconnaissance

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

Discovery

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Tools & Malware

(38)

BabyShark

malwareMalicious

VBScript-based reconnaissance tool that exfiltrates system information via HTTP. Used as initial access payload in spear-phishing campaigns targeting think tanks and policy researchers.

AppleSeed

malwareMalicious

Full-featured backdoor supporting keylogging, screenshot capture, file exfiltration, and additional module loading. Primary persistent access tool in Kimsuky campaigns.

ReconShark

malwareMalicious

Reconnaissance tool delivered via weaponized documents. Exfiltrates system configuration, running processes, and battery info to determine if target is worth further exploitation.

SHARPEXT

malwareMalicious

Malicious Chromium browser extension that reads email directly from the victim's webmail (Gmail, AOL, Yahoo). Bypasses 2FA since it operates within the authenticated browser session.

GoldDragon

malwareMalicious

Multi-component backdoor that uses a dedicated module for stealing credentials. Operates with a dropper, injector, and payload architecture for modular deployment.

FlowerPower

malwareMalicious

PowerShell-based reconnaissance and data collection tool. Gathers system info, installed programs, recent documents, and sends data to attacker-controlled cloud services.

RandomQuery

malwareMalicious

VBScript info-stealer that collects file listings from specific directories. Targets document files to identify intelligence value before deploying heavier payloads.

FastViewer

malwareMalicious

Android spyware disguised as a security plugin. Captures SMS, call logs, GPS location, and can exfiltrate files from the device. Targets South Korean mobile users.

Google Drive

legitimate toolLegitimate

Abused as C2 channel — malware uploads stolen data to attacker-controlled Google Drive accounts and retrieves commands from shared documents.

OneDrive

legitimate toolLegitimate

Used as file exfiltration channel, with stolen documents and credentials uploaded to attacker-controlled OneDrive accounts to blend with normal cloud traffic.

Dropbox

legitimate toolLegitimate

Used for command-and-control communication, storing encoded commands and receiving exfiltrated data through the Dropbox API.

PowerShell

os utilityLegitimate

Used extensively for executing encoded reconnaissance scripts, downloading secondary payloads, and credential harvesting from browser stores.

mshta.exe

os utilityLegitimate

HTML Application host abused to execute HTA files containing VBScript or JScript payloads, bypassing application whitelisting controls.

Chrome Remote Desktop

legitimate toolLegitimate

Abused for persistent remote access after initial compromise. Legitimate Google tool that's difficult for defenders to distinguish from authorized usage.

xRAT / QuasarRAT

frameworkMalicious

Open-source .NET RAT used as a lightweight remote access tool in some Kimsuky campaigns, providing screen control, file management, and keylogging.

Grease

RATMalicious

Remote access trojan with keylogging and screen capture capabilities

KGH_SPY

StealerMalicious

Information stealer targeting browser credentials and email data

Meterpreter

RATLegitimate

Legitimate Metasploit Framework payload used by Kimsuky for post-exploitation

PebbleDash

BackdoorMalicious

Second-stage malware with command execution capabilities

Clipboard Stealer

StealerMalicious

Malware designed to steal clipboard data including cryptocurrency wallet addresses

Ordered

BackdoorMalicious

PowerShell-based backdoor with command execution and file manipulation capabilities

Phishing Stealer

StealerMalicious

Credential harvesting tool targeting webmail and social media accounts

Gold Dragon

BackdoorMalicious

Python-based backdoor with keylogging and screenshot capabilities

TutorialRAT

RATMalicious

Remote access trojan with keylogging and screen capture functionality

PhantomStar

BackdoorMalicious

Windows backdoor delivered through spear-phishing campaigns

CSPY Downloader

LoaderMalicious

Malicious downloader distributed via malicious CHM files

RokRAT

RATMalicious

Cloud-based RAT using legitimate cloud services for C2

BetaSeed

BackdoorMalicious

Variant of AppleSeed backdoor with enhanced capabilities

Amadey

BackdoorMalicious

Commodity botnet malware adopted by Kimsuky for credential theft

Troll Stealer

StealerMalicious

Credential and browser data stealer

Infostealer

StealerMalicious

Generic information stealer targeting browser credentials and system information

FastReverseProxy

OtherLegitimate

Legitimate proxy tool abused for network tunneling

Kumsong

RATMalicious

Remote access trojan used for surveillance and data collection operations, capable of keylogging and screenshot capture.

ThreatNeedle

BackdoorMalicious

Custom backdoor used in targeted campaigns against defense and government sectors with advanced evasion techniques.

Quasar RAT

RATMalicious

Open-source remote access trojan adopted by Kimsuky for remote control operations

Recon

BackdoorMalicious

Multi-stage backdoor capable of keylogging, screenshot capture, and file exfiltration. Often deployed alongside AppleSeed.

Kimsuky Mailer

StealerMalicious

Email exfiltration tool designed to steal credentials and email content from victims' accounts.

Fastfire

BackdoorMalicious

Malware capable of keylogging, screenshot capture, and arbitrary file upload/download functionality.

Indicators of Compromise

(62)

IOC values are defanged for safety

Type	Value	Notes
domain	`bigfile[.]pe[.]hu`	C2 domain used in South Korean government targeting
domain	`mybobo[.]mygamesonline[.]org`	BabyShark C2 infrastructure
ip	`27[.]102[.]114[.]89`	Infrastructure linked to AppleSeed campaigns
ip	`158[.]247[.]222[.]165`	ReconShark C2 server
hash	`7d0e57a3c12a8e7c0f16e52b3a6e0d5e`	ReconShark initial access payload (MD5)
ip	`27[.]102[.]137[.]181`	DocSwap Android malware C2 server
ip	`158[.]247[.]215[.]121`	Kimsuky phishing infrastructure (AS20473 Vultr)
ip	`158[.]247[.]204[.]137`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]192[.]226`	Kimsuky infrastructure (AS20473 Vultr)
ip	`158[.]247[.]242[.]206`	Kimsuky infrastructure (AS20473 Vultr)
domain	`kzloly[.]nmailhub[.]com`	KimJongRAT C2 domain
hash	`10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4`	HttpTroy backdoor SHA256
hash	`509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b`	Lazarus Comebacker variant SHA256
domain	`naver[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`daum[.]kro[.]kr`	C2 domain impersonating Korean portal site
domain	`myaccount-help[.]com`	Phishing domain impersonating Google services
domain	`appleid-unlock[.]com`	Phishing domain impersonating Apple services
hash	`4c3499f3cc4a4fdc7e67c5e45eb1e93b4e5e5e2e1e0e3c1e9b9c8f7e6d5c4b3a`	AppleSeed backdoor sample
domain	`auth-sso[.]com`	Credential phishing domain
ip	`185[.]244[.]39[.]224`	C2 infrastructure
domain	`myaccounts-naver[.]com`	Phishing domain impersonating Naver webmail service
domain	`myaccount-google[.]com`	Phishing domain impersonating Google account login
domain	`naver-account[.]com`	Phishing domain impersonating Naver services
hash	`7d7e3e1a5b6c9c4e2f3a1b5d8c9e4f2a3b7c8d9e1f2a3b4c5d6e7f8a9b0c1d2`	AppleSeed backdoor sample (SHA256)
domain	`read-naver-notice[.]com`	C2 domain used in 2023 campaigns
domain	`naver[.]hxtvvl[.]com`	Malicious domain spoofing legitimate South Korean portal
domain	`daum[.]hxtvvl[.]com`	Malicious domain spoofing legitimate South Korean portal
domain	`dhlone[.]com`	C2 domain used in AppleSeed campaigns
hash	`a9b8c7d6e5f4a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6`	SHA256 hash of AppleSeed backdoor sample
domain	`account-pprotection[.]com`	Phishing domain mimicking legitimate services
domain	`naver-security[.]com`	Phishing domain targeting Naver users
domain	`daum-security[.]com`	Phishing domain targeting Daum users
domain	`myaccount-recovery[.]com`	Credential phishing infrastructure
hash	`5d3f8e7a5f25f42b8e49a3c7e6c1f3b4e7a5b2c8d9e1f2a3b4c5d6e7f8a9b0c1`	AppleSeed backdoor sample
hash	`a7b3c5d9e1f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4`	BabyShark VBS backdoor
ip	`116[.]202[.]99[.]218`	EndClient RAT C2 server (port 443)
ip	`27[.]255[.]81[.]107`	MoonPeak infrastructure from 2024-2025 campaigns
ip	`149[.]28[.]139[.]62`	Quasar RAT infrastructure (port 8080)
ip	`154[.]216[.]177[.]215`	Operational hub with reconnaissance tools (2GB data, 10,731 files)
hash	`c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5`	LNK file: CONFIDENTIAL AIN x Mine Korea 2026.pdf.lnk
domain	`quickcon[.]store`	Dropbox-based C2 for Python backdoor deployment
domain	`naver[.]koreagov[.]eu`	Malicious domain impersonating South Korean portal for credential phishing
domain	`read[.]naver[.]koreagov[.]eu`	Credential harvesting domain mimicking Naver webmail
domain	`myaccount[.]daum[.]koreagov[.]eu`	Phishing domain impersonating Daum email service
domain	`account[.]daum[.]koreagov[.]eu`	Credential phishing infrastructure targeting Daum users
hash	`5c7f6b8e9a2d1f3e4c8b7a6d5e4f3a2b1c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f`	AppleSeed backdoor sample SHA-256
domain	`bigfile[.]cloud-server[.]org`	C2 domain used for AppleSeed backdoor operations
domain	`cdn[.]ms-teams[.]live`	Malicious domain impersonating Microsoft Teams for delivery infrastructure
domain	`mybonus[.]live`	C2 domain used in 2024 AppleSeed campaigns
domain	`naver[.]linkpc[.]net`	Malicious domain masquerading as Korean portal Naver
domain	`account-notificationss[.]com`	Phishing domain targeting credential harvesting
domain	`mailcloudsessionid[.]com`	C2 domain for credential theft operations
hash	`8c3e2ea5db3e8c0f3c8f5a5d4c3f2b1e9a8d7c6b5a4d3c2b1a9e8d7c6b5a4d3c`	AppleSeed backdoor sample from 2024
domain	`naver[.]onegoogle[.]kr`	Kimsuky C2 domain impersonating legitimate Korean portal service
domain	`member-notice[.]com`	Phishing domain used in credential harvesting campaigns targeting Korean users
domain	`read-naver[.]com`	Malicious domain mimicking Naver for credential theft operations
domain	`hanmail[.]com-notice[.]com`	Phishing infrastructure impersonating Hanmail webmail service
hash	`8c2f5b3c7d4e6f1a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a`	AppleSeed backdoor sample SHA256
hash	`7f3e8d9c2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d`	BabyShark VBS payload SHA256
domain	`member-authorize[.]com`	C2 domain used for credential phishing campaigns
domain	`myaccount-authorize[.]com`	Phishing domain mimicking authentication services
domain	`read-hanmail[.]net`	C2 domain impersonating Korean email provider Hanmail

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`bigfile[.]pe[.]hu` C2 domain used in South Korean government targeting	c2	offline	Apr 2, 2026
`mybobo[.]mygamesonline[.]org` BabyShark C2 infrastructure	c2	offline	Apr 2, 2026
`27[.]102[.]114[.]89` Infrastructure linked to AppleSeed campaigns	ip	offline	Apr 2, 2026
`158[.]247[.]222[.]165` ReconShark C2 server	ip	active	Apr 2, 2026
`kzloly[.]nmailhub[.]com`	domain	offline	Apr 2, 2026
`quickcon[.]store`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(52)

MITRE ATT&CK - Kimsuky

https://attack.mitre.org/groups/G0094/

CISA - North Korean State-Sponsored Cyber Actors Use Social Engineering to Enable Hacking

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-152a

Mandiant - APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations

https://www.mandiant.com/resources/apt43-north-korea-cybercrime-espionage

FBI Flash Alert: North Korean Actors Use Malicious QR Codes (Quishing)

https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html

Kimsuky Spreads DocSwap Android Malware via QR Phishing

https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.html

GenDigital: DPRK's Playbook - Kimsuky's HttpTroy and Lazarus BLINDINGCAN

https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis

ENKI: Kimsuky's Ongoing Evolution of KimJongRAT

https://securityonline.info/kimsuky-apt-deploys-dual-kimjongrat-payloads-switching-between-pe-powershell-based-on-windows-defender-status/

Kimsuky APT Exposed: June 2025 Data Leak Analysis

https://gbhackers.com/kimsuky-apt-exposed/

Microsoft: Emerald Sleet Uses ClickFix Tactic

https://www.helpnetsecurity.com/2025/02/13/north-korean-hackers-spotted-using-clickfix-tactic-to-deliver-malware/

Proofpoint: TA427's Art of Information Gathering and DMARC Abuse

https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

AhnLab: Larva-24005 Campaign Exploits BlueKeep RDP Vulnerability

https://securityaffairs.com/186755/intelligence/north-korea-linked-apt-kimsuky-behind-quishing-attacks-fbi-warns.html

STOLEN PENCIL Campaign Targets Academia

https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

Kimsuky's GoldDragon cluster and its C2 operations

https://www.sentinelone.com/labs/kimsuky-golddragon-cluster/

North Korean Kimsuky APT Targets Journalists

https://www.proofpoint.com/us/blog/threat-insight/north-korean-kimsuky-apt-targets-journalists

APT43: North Korean Group Combines Cybercrime and Espionage

https://cloud.google.com/blog/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage

KIMSUKY's GoldDragon cluster and its C2 operations

https://securelist.com/kimsukys-golddragon-cluster/107258/

KIMSUKY APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/news/2023/01/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

Kimsuky's New Social Engineering Campaign

https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign/

APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations

https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage

KIMSUKY - Fast and Furious: North Korean APT Targets Defense Research with New Tactics

https://www.sentinelone.com/labs/kimsuky-fast-and-furious/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

North Korea's Kimsuky APT Keeps Up Pressure Against South Korea

https://www.darkreading.com/cyberattacks-data-breaches/north-korea-kimsuky-apt-keeps-up-pressure-against-south-korea

Kimsuky Targeting Academic Researchers and Think Tanks

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://blog.alyac.co.kr/category/malware-information/

Kimsuky Group: Tracking the King of Spear Phishing

https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

North Korean Kimsuky APT continues to target South Korea

https://www.sentinelone.com/labs/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

CISA AA23-032A: #StopRansomware: Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-032a

Microsoft: THALLIUM targets government organizations

https://www.microsoft.com/en-us/security/blog/2019/12/30/microsoft-works-to-protect-customers-from-thallium/

AhnLab: Kimsuky Group's APT Campaign Using Multi-Stage Binary Infection

https://asec.ahnlab.com/en/49525/

New Kimsuky Malware EndClient RAT: First Technical Report and IOCs

https://www.0x0v1.com/endclientrat/

Kimsuky Exploits BlueKeep RDP Vulnerability (CVE-2019-0708) - Larva-24005 Campaign

https://thehackernews.com/2025/04/kimsuky-exploits-bluekeep-rdp.html

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks

https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html

Exposed Kim Dump Exposes Kimsuky Hackers New Tactics and Infrastructure

https://teamwin.in/exposed-kim-dump-exposes-kimsuky-hackers-new-tactics-techniques-and-infrastructure/

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered

https://hunt.io/blog

The Coordinated Embassy Hunt: DPRK-linked GitHub C2 Espionage Campaign

https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/news/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor

DPRK Cyber Group Kimsuky Deploying New Reconnaissance Tools

https://www.sentinelone.com/labs/dprk-cyber-group-kimsuky-deploying-new-reconnaissance-tools/

North Korean APT Kimsuky Targets South Korean Government with Chrome Extension

https://www.ahnlab.com/global/en/site/securityinfo/secunews/secuNewsView.do?seq=32446

CISA Alert: AppleSeed Malware Used by Kimsuky

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-208a

Google TAG: North Korean Actors Target Security Researchers

https://blog.google/threat-analysis-group/north-korean-actors-target-security-researchers/

AhnLab: Analysis of Kimsuky Group's APT Attacks Disguised as Korean Language Questionnaires

https://asec.ahnlab.com/en/32828/

Microsoft: Springtail North Korean Threat Actor Targets Government Organizations

https://www.microsoft.com/en-us/security/blog/2021/11/18/iranian-targeting-of-it-sector-signals-continued-trend/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2024/01/kimsuky-apt-continues-to-target-south-korean-government

ANSSI: Kimsuky Group Tracking

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/

AhnLab: Kimsuky Group's Continued Activity Targeting Korea

https://asec.ahnlab.com/en/category/threat-actor/kimsuky/

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korea-using-appleseed-backdoor

Kimsuky Group: Tracking the King of Spear Phishing

https://www.sentinelone.com/labs/kimsuky-group-tracking-the-king-of-spear-phishing/

North Korea's Kimsuky APT Weaponizes Blogs for C2

https://www.darkreading.com/cyberattacks-data-breaches/north-korea-kimsuky-apt-weaponizes-blogs-c2

Microsoft - THALLIUM: Detecting a nation-state campaign

https://www.microsoft.com/en-us/security/blog/2019/12/12/thallium-detecting-a-nation-state-campaign/

CERT-NZ Advisory - Kimsuky Group: North Korean Cyber Activity

https://www.cert.govt.nz/it-specialists/advisories/kimsuky-group-north-korean-cyber-activity/

AhnLab ASEC - Kimsuky Group's APT Attacks Using Cloud Services

https://asec.ahnlab.com/en/19352/