nickel_kimball

NICKEL KIMBALL is a North Korea-aligned espionage threat actor assessed to have operated on behalf of the North Korean government since at least 2012. It primarily targets non-governmental organizations, think tanks, diplomatic agencies, military organizations, economic groups, and research entities, particularly those involved with North Korean policy and relations. The group originally focused on South Korean organizations and later expanded to similar targets in other countries. Reported objectives include gaining access to online accounts and networks and tracking North Korean defectors and their relatives. Its operations feature extensive spearphishing, including the use of typosquatting and target-themed domains, as well as increasingly sophisticated social engineering based on research from social media and other public sources. Its tooling is described as distinct from other North Korean groups. Delivery mechanisms have included malicious Hangul Word Processing documents for South Korea-focused targeting, later evolving to Microsoft Word and PDF lures as targeting broadened internationally. Malware and tools linked to this activity include Kimsuky RAT, KimJongRAT, KONNI, BabyShark, FastFire, FireViewer, FastSpy, and ReconShark. Known aliases mentioned in the source include Kimsuky, Velvet Chollima, Black Banshee, ITG16, TA406, ARCHIPELAGO, UAT-5394, Sparking Pisces, Springtail, Larva-24005, THALLIUM, Crooked Pisces, Emerald Sleet, Opal Sleet, APT43, SharpTongue, and TA427.