Kimsuky

Actor Type	Nation State
Attributed to Nation	North Korea
Directly Linked Intrusion Sets	TA427

Kimsuky is a North Korean sponsored APT group that conducts cyber espionage operations against targets related to the Korean peninsula, nuclear policy, and sanctions. The intrusion set uses various techniques such as spearphishing, social engineering, malicious browser extensions, and remote access tools to gain initial access and maintain persistence on victim networks.

Kimsuky also employs malware such as BabyShark, KimJongRAT, and PCRat to collect and exfiltrate data from compromised systems.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Kimsuky Threat Reports

Report

The Updated APT Playbook: Tales from the Kimsuky threat actor group

This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...

View Source

Report

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Blog post from Kroll which describes the exploitation of vulnerabilities in ConnectWise ScreenConnect to deploy TODDLERSHARK malware which the ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

ATT&CK ID	Title	Associated Tactics
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1566.001	Spearphishing Attachment	Initial Access
T1059.003	Windows Command Shell	Execution
T1564.001	Hidden Files and Directories	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1204.002	Malicious File	Execution
T1016	System Network Configuration Discovery	Discovery
T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
T1105	Ingress Tool Transfer	Command and Control
T1090	Proxy	Command and Control
T1110	Brute Force	Credential Access
T1518.001	Security Software Discovery	Discovery
T1070.004	File Deletion	Defense Evasion
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1112	Modify Registry	Defense Evasion
T1082	System Information Discovery	Discovery
T1047	Windows Management Instrumentation	Execution
T1005	Data from Local System	Collection
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1562.001	Disable or Modify Tools	Defense Evasion
T1033	System Owner/User Discovery	Discovery
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation
T1041	Exfiltration Over C2 Channel	Exfiltration
T1074.001	Local Data Staging	Collection
T1083	File and Directory Discovery	Discovery
T1057	Process Discovery	Discovery
T1021.001	Remote Desktop Protocol	Lateral Movement
T1569.002	Service Execution	Execution
T1012	Query Registry	Discovery
T1027	Obfuscated Files or Information	Defense Evasion
T1027.010	Command Obfuscation	Defense Evasion
T1218.005	Mshta	Defense Evasion
T1132.001	Standard Encoding	Command and Control

Kimsuky

Cyber Threat Graph Context

Kimsuky Threat Reports

The Updated APT Playbook: Tales from the Kimsuky threat actor group

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

References

www.pwc.co.uk

attack.mitre.org

www.kroll.com

www.rapid7.com

www.sentinelone.com

www.proofpoint.com

www.cisa.gov

MITRE ATT&CK Techniques