Kimsuky

Kimsuky is a North Korean state-sponsored threat actor engaged in cyber espionage and intelligence-gathering operations in support of Pyongyang’s foreign policy and sanctions-evasion efforts. Reported aliases in the provided content include APT43, TA406, Opal Sleet, Velvet Chollima, Emerald Sleet, Thallium, Black Banshee, Cerium, Earth Imp, OSMIUM, Ruby Sleet, SharpTongue, Springtail, Sparkling Pisces, TA427, Planedown, and Konni/Konni Group. The group has targeted South Korean military and corporate entities, as well as government, healthcare, education, infrastructure, North Korean defectors, and politicians. The provided reporting also notes targeting of a German defense manufacturer and defense organizations in Brazil and Germany, and states that Kimsuky remains a persistent threat to South Korean public- and private-sector organizations. The content describes repeated reliance on spearphishing and social engineering, including spoofed security software installation pages, fake Cisco Webex meeting pages built using real meeting details from a previously compromised participant account, visa-processing and diplomatic lures, and malicious LNK-based delivery themed as password files or security emails from a South Korean credit card company. In March and April 2026 activity, Kimsuky used fake South Korean security software installers and counterfeit Webex pages to deliver the HTTPSpy RAT. ENKI reported a JSONP-based infection-verification mechanism dubbed JSONPing, in which malicious pages queried a localhost server deployed by the dropper to confirm execution and optimize delivery. The latest HTTPSpy activity described in the content used a three-stage architecture consisting of an installer, loader, and in-memory RAT. Reported capabilities include anti-analysis checks for VMware and VirtualBox, retrieval of payloads from external servers, shell command execution, screenshot capture, file manipulation, process execution, DLL injection into specified processes, self-deletion, and HTTP POST command-and-control with RC4-encrypted exfiltration. Infrastructure overlaps cited for attribution include repeated use of a default XAMPP certificate and operation within a narrow set of autonomous system numbers. Additional malware and tooling associated with Kimsuky in the provided content include HelloDoor, HttpMalice, HttpTroy, PebbleDash variants, AppleSeed, HappyDoor, and MeshAgent. HappyDoor is described as an advanced AppleSeed variant focused on data exfiltration and GPKI certificate extraction. Kaspersky reporting in the content states that Kimsuky has used Visual Studio Code tunneling, Cloudflare Quick Tunnels, DWAgent, Rust-based malware, and likely large language models in malware development. The content also attributes opportunistic exploitation of CVE-2026-21509 and CVE-2026-21510 to TA406/Opal Sleet in March and April 2026. In those campaigns, embedded OLE objects were LNK files that initiated WebDAV retrieval of secondary LNK files, which then invoked CVE-2026-21510 to execute a DLL payload. Behavioral details in the provided content further state that Kimsuky has used Base64-decoded VBScript and PowerShell, executed multiple PowerShell scripts including Invoke-Mimikatz, used JScript for logging and downloading additional tools, staged collected data under C:\Program Files\Common Files\System\Ole DB\ and structured directories under %TEMP% prior to exfiltration, deleted exfiltrated data after transmission, deleted browser cookie files after terminating browser processes, turned off Windows Security Center, hid antivirus windows from users, placed scripts in the Startup folder, modified HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce for persistence, and used browser extensions and NirSoft WebBrowserPassView to steal browser passwords and cookies, as well as tools capable of obtaining credentials from saved mail.