🇰🇵 KP6 malware families

SeedpuNK

Also known asseedpunk

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

Where they target

Geographies tied to known operations.

🇰🇷 South Korea

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics40 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1588

Obtain Capabilities

T1588.004

Digital Certificates

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

2 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1218

System Binary Proxy Execution

T1218.010

Regsvr32

T1218.011

Rundll32

TA0006

Credential Access

3 techniques

T1056

Input Capture

T1056.001

Keylogging

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

TA0007

Discovery

6 techniques

T1016

System Network Configuration Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1087

Account Discovery

T1087.001

Local Account

T1518

Software Discovery

T1518.001

Security Software Discovery

TA0009

Collection

4 techniques

T1005

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1113

Screen Capture

T1560

Archive Collected Data

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

T1071.001

Web Protocols

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

AlphaSeedOn 17 May 2023, we disclosed information about AlphaSeed, a new Go-based malware from the SeedpuNK group.1May 26, 2026

AppleSeedAppleSeed, a backdoor-type malware that was developed and used by the Kimsuky group, was first discovered in 2019 and has been circulating in various structural and functional variations since then.1May 26, 2026

BetaSeedS2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.1May 26, 2026

GoBearS2W Talon has named these malware samples BetaSeed (backdoor), AlphaSeed (backdoor), GoBear (backdoor) and Troll Stealer, respectively, based on the chronological order of their discovery.1May 26, 2026

MeterpreterAhnLab reported that the Kimsuky group has used a Go language version of Meterpreter, and subsequent discoveries include additional Go-based malware like Troll Stealer and GoBear.1May 26, 2026

1 additional family tracked in Mallory.

IOCS

Observables

37 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

37 IOCsView more in app

hash.md5

22 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+14

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

3 total

••••••.com•••••••.ru••••••••.com

Email addresses

3 total

••••@•••••.••••••••@••••••.•••••••••@•••••••.•••

ip.v4

2 total

•••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

virusbulletinNews

May 26, 2026

A Kimsuky subgroup associated with AppleSeed and later Go-based malware including AlphaSeed, Troll Stealer, GoBear, and BetaSeed. The content describes it as transitioning from C/C++ malware to Go, reusing AppleSeed-linked code and infrastructure, targeting South Korean public institutions, and adopting new techniques such as GPKI theft and SOCKS5-related capability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping23

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables37

Domains, IPs, and hashes tied to this actor, refreshed continuously.