APT reports

Kimsuky APT: Operation’s possible North Korean links uncovered

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian – mail.bg.
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:



The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:



We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.

Korea Institute For Defense Analyses (KIDA)
KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA’s mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues.
Ministry of Unification
The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.
Hyundai Merchant Marine
Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.


Some clues also suggest that computers belonging to “The supporters of Korean Unification” (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.

There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:

  • Keystroke logging
  • Directory listing collection
  • HWP document theft
  • Remote control download and execution
  • Remote control access

Clues found by us make it possible to surmise North Korean origin of the attackers. Detailed report on this campaign you can find in our article “The “Kimsuky” Operation: A North Korean APT?”.

Kimsuky APT: Operation’s possible North Korean links uncovered

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox