Cyber Threat Report: 'From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering'

This blog post from Proofpoint's Threat Research Team details the TA427 group who they link to Kimsuky and attribute to North Korea. TA427 conduct email phishing and persistent social engineering, targeting US and South Korea foreign policy experts. According to the post, TA427 initially engage in benign conversations, rotating email aliases, and spoofing personas to build rapport and gather intelligence. Since December 2023, TA427 has also exploited weak DMARC policies to spoof emails and engage targets. In February 2024, TA427 began using web beacons in emails for reconnaissance and target profiling.