Not Simon 🐐

2025

• January 22, 2025 – S2W: Kimsuky 그룹의 Babyshark 악성코드 캠페인 (Korean language, English translation: Babyshark malware campaign from Kimsuky group)
• January 20, 2025 – Scarlet Shark: Analyst’s Note — Kimsuky

2024

• December 02, 2024 – Genians: 위협 행위자 김수키의 이메일 피싱 캠페인 분석 (English translation: Analysis of Kimsuky Threat Actor's Email Phishing Campaign)
• September 27, 2024 – Der Spiegel: Nordkoreanische Hacker nahmen Rüstungskonzern Diehl ins Visier (German language, news article) (English translation: North Korean hackers targeted arms company Diehl)
• September 26, 2024 – Unit 42: Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
• September 19, 2024 – ASEC: Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP)
• September 12, 20214 – Cyfirma: APT PROFILE – KIMSUKY
• August 28, 2024 – Intrinsec: The EV Code Signature Signature Market for eCrime (PDF)
• August 21, 2024 – Cisco Talos: MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
• August 07, 2024 – Resilience: APT Group Kimsuky Targets University Researchers
• July 16, 2024 – Rapid7:
  • Defending Against APTs: A Learning Exercise with Kimsuky
  • Kimsuky’s Phishing and Payload Tactics (PDF whitepaper)
• July 08, 2024 – JPERT/CC: Attack Activities by Kimsuky Targeting Japanese Organizations
• July 05, 2024 – ASEC: GitHub Repository Used by Kimsuky Threat Group
• June 27, 2024 – Zscaler: Kimsuky deploys TRANSLATEXT to target South Korean academia
• June 26, 2024 – ASEC: Kimsuky Group's New Backdoor (HappyDoor)
• May 29, 2024 – ASEC: Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
• May 27, 2024 – ASEC: SmallTiger Malware Used Against South Korean Businesses (Kimsuky and Andariel)
• May 16, 2024 – Symantec: Springtail: New Linux Backdoor Added to Toolkit
• May 10, 2024 – Genians: 페이스북과 MS관리콘솔을 활용한 Kimsuky APT 공격 발견 (한국과 일본 대상 공격 징후 포착) (Korean language, English translation: Kimsuky APT attack discovered using Facebook & MS management console (Signs of attacks targeting Korea and Japan detected))
• May 02, 2024:
  • U.S. State Department: U.S. Government Cybersecurity Alert: Democratic People’s Republic of Korea (DPRK) Using New Tactic in Social Engineering Operations
  • FBI: North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts
• April 24, 2024 – ASEC: CHM Malware Stealing User Information Being Distributed in Korea
• April 04, 2024 – Microsoft: Same targets, new playbooks: East Asia threat actors employ unique methods (Available as PDF)
• March 19, 2024 – ASEC: Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)
• March 18, 2024 – Securonix: Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
• March 12, 2024 – ESTsecurity: 북 킴수키(Kimsuky) 조직의 정책 자문 위장 스피어 피싱 주의! (Korean language, English translation: Beware of spear phishing scams disguised as policy advisors from the North Korean Kimsuky organization!)
• March 05, 2024 – Kroll: TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
• February 16, 2024 – ASEC: TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)
• February 14, 2024:
  • Microsoft: Staying ahead of threat actors in the age of AI
  • OpenAI: Disrupting malicious uses of AI by state-affiliated threat actors
• February 08, 2024 – ASEC: Kimsuky Group’s Spear Phishing Detected by AhnLab EDR (AppleSeed, AlphaSeed)
• February 07, 2024 – S2W: Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)

2023

• December 22, 2023 – ASEC: Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed
• December 01, 2023 – ASEC: Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
• November 30, 2023 – U.S. Treasury: Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group (ATTRIBUTION)
• November 21. 2023 – ASEC: Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
• November 03, 2023 – ASEC: Threat Trend Report on Kimsuky October 2023 Statistics and Major Issues (PDF)
• October 30, 2023 – Genians: 위협 분석 보고서 Kimsuky APT 그룹의 Storm 작전과 BabyShark Family 연관 분석 (PDF, Korean language, English translation: Threat Analysis Report Kimsuky APT group's Storm operation and BabyShark Family Association Anlaysis)
• October 16, 2023 – ASEC: Kimsuky Threat Group Uses RDP to Control Infected Systems
• October 06, 2023 – ASEC: Threat Trend Report on Kimsuky September 2023 Statistics and Major Issues
• September 07, 2023:
  • Microsoft: Digital threats from East Asia increase in breadth and effectiveness (Available as PDF)
  • ASEC: Threat Trend Report on Kimsuky August 2023 Statistics and Major Issues (PDF)
• September 06, 2024 – ASEC: APT Attack Disguised as a Research Paper on Russia-North Korea Partnership (Kimsuky)
• August 28, 2023 – Qihoo 360: APT-C-55（Kimsuky）组织使用韩文域名进行恶意活动 (Chinese language, English translation: APT-C-55 (Kimsuky) uses Korean domains for malicious activities)
• August 07, 2023 – ASEC: Threat Trend Report on Kimsuky July 2023 Statistics and Major Issues (PDF)
• July 25, 2023 – SOCRadar: APT Profile: Kimsuky
• June 28, 2023 – ASEC: 크롬 원격 데스크톱을 악용하는 Kimsuky 공격 그룹 (Korean language, English translation: Kimsuky Attack Group Exploits Chrome Remote Desktop)
• June 26, 2023 – ESTsecurity: 킴수키(Kimsuky)조직의 'Mail Online Security' 프로그램 위장 공격 주의! (Korean language, English translation: Beware of Kimsuky's 'Mail Online Security' program disguised as an attack!)
• June 16, 2023 – ASEC:
  • Malware Disguised as HWP Document File (Kimsuky)
  • Kimsuky Distributing CHM Malware Under Various Subjects
• June 06, 2023 – SentinelOne: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
• June 01, 2023:
  • U.S. State Department: U.S. and ROK Agencies Cybersecurity Alert: The Democratic People’s Republic of Korea (DPRK) Social Engineering Campaigns Targeting Think Tanks, Academia, and News Media
  • NSA: North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media (PDF)
• May 23, 2023 – SentinelOne: Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit
• May 17, 2023 – S2W: Detailed Analysis of AlphaSeed, a new version of Kimsuky's AppleSeed written in Golang
• May 16, 2023 – ASEC: Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
• May 04, 2023 – SentinelOne: Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
• March 29, 2023 – ASEC: February 2023 Threat Trend Report on Kimsuky Group (PDF)
• March 28, 2023 – Mandiant: APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (ATTRIBUTION, available as PDF)
• March 23, 2023 – ASEC: Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub)
• March 20, 2023:
  • NCSC-KR: 김수키 해킹조직의 구글 브라우저 및 앱 스토어 서비스 악용 공격 주의 (Korean language, English translation: Beware of Google Browser and App Store Service Exploitation Attacks by Kimsuky Hacking Group) (Available as PDF)
  • ASEC: OneNote Malware Disguised as Compensation Form (Kimsuky)
• March 17, 2023 – S2W: Kimsuky group appears to be exploiting OneNote like the cybercrime group
• March 15, 2023 – ESTsecurity: 킴수키(Kimsuky)조직, '협의 이혼 의사 확인 신청서'를 위장한 QuasarRAT 유포 중! (Korean language, English translation: Kimsuky Organization Distributing QuasarRAT Disguised as 'Confirmation of Intention to Divorce'!)
• March 14, 2023 – ESTsecurity: 킴수키(Kimsuky), '사이버 안전국' 메일을 위장한 해킹 시도! (Korean language, English translation: Kimsuky, Hacking Attempt Disguised as 'Cyber ​​Security Agency' Email!)
• March 08, 2023 – ASEC: CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
• March 03, 2023 – ESTsecurity: 김수키(Kimsuky)조직, 비건 미국무부 부장관 서신 내용으로 위장한 APT 공격 수행 (Korean language, English translation: Kimsuky Organization Carries Out APT Attack Disguised as Letter from US Deputy Secretary of State Biegun)
• February 03, 2023 – ASEC: Malware Disguised as Normal Documents (Kimsuky)
• January 13, 2023 – ESTsecurity: 김수키(Kimsuky)조직, 카카오 피싱 공격 진행 중 (Korean language, English translation: Kimsuky Organization, Kakao Phishing Attack in Progress)

2022

• November 04, 2022 – WithSecure: No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (Available as a PDF)
• October 24, 2022 – S2W: Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
• August 26, 2022 – ESTsecurity: 김수키(Kimsuky) 그룹, 러시아 외무부를 타겟으로 공격 진행중! (Korean language, English translation: Kimsuky Group is in the process of launching an attack targeting the Russian Foreign Ministry!)
• August 25, 2022 – Kaspersky: Kimsuky’s GoldDragon cluster and its C2 operations
• August 08, 2022 – Walmart Global Tech: Pivoting on a SharpExt to profile Kimsuky panels for great good
• July 28, 2022 – Volexity: SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
• July 26, 2022 – ASEC: Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)
• March 01, 2022 – Huntress: Targeted APT Activity: BABYSHARK Is Out for Blood
• February 16, 2022 – ESTsecurity: 디지털 자산 지갑 서비스 고객센터로 위장한 北 연계 APT 공격 발견! (Korean language, English translation: North Korea-linked APT attack disguised as a digital asset wallet service customer center discovered!)
• February 14, 2022 – ASEC: APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

2021

• December 21, 2021 – ASEC: APT Attack Cases of Kimsuky Group (PebbleDash)
• November 19, 2021 – Qihoo 360: 疑似APT-C-55（Kimsuky）组织利用商业软件Web Browser Password Viewer进行攻击 (Chinese language, English translation: APT-C-55 (Kimsuky) organization suspected to use commercial software Web Browser Password Viewer to attack)
• November 18, 2021 – Proofpoint: Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals (Available as PDF)
• November 16, 2021 – ASEC: Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
• November 10, 2021 – Cisco Talos: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
• October 25, 2021 – Microsoft: Microsoft Digital Defense Report OCTOBER 2021 (PDF)
• June 03, 2021 – Cyble: Kimsuky APT Group Distributes Fake Security App Disguised as KISA Security Program
• June 01, 2021 – Malwarebyres: Kimsuky APT continues to target South Korean government using AppleSeed backdoor
• May 06, 2021 – QiAnXin: 疑似Kimsuky APT组织利用韩国外交部为诱饵的攻击活动分析 (Chinese language, English translation: Analysis of the suspected Kimsuky APT group's attack activities using the South Korean Ministry of Foreign Affairs as bait)
• May 05, 2021 – Qihoo 360: Kimsuky APT组织使用新型的AppleSeed Android组件伪装成安全软件对韩特定目标进行攻击 (Chinese language, English translation: Kimsuky APT uses new AppleSeed Android component disguised as security software to attack specific targets in South Korea)
• March 26, 2021 – Qihoo 360: Kimsuky组织网络攻击活动追溯分析报告 (Chinese language, English translation: Kimsuky Organization Cyber ​​Attack Activity Tracing Analysis Report)
• March 04, 2021 – United Nations Security Council: Final report of the Panel of Experts (PDF) (ATTRIBUTION)

2020

• November 22, 2020 – ESTsecurity: [스페셜 리포트] 탈륨(김수키)과 코니 APT 그룹의 연관관계 분석 Part3 (Korean language, English translation: [Special Report] Analysis of the relationship between Thallium (Kimsuky) and the Konni APT Group Part 3)
• November 02, 2020 – Cybereason: Back to the Future: Inside the Kimsuky KGH Spyware Suite
• October 27, 2020 – CISA: North Korean Advanced Persistent Threat Focus: Kimsuky (Available as a PDF)
• September 30, 2020 – PwC:
  • To catch a Banshee: how Kimsuky’s tradecraft betrays its complementary campaigns and mission
  • To catch a Banshee (PowerPoint slides) (PDF)
• July 25, 2020 ESTsecurity: [스페셜 리포트] 미국 MS가 고소한 탈륨 그룹, 대한민국 상대로 '페이크 스트라이커' APT 캠페인 위협 고조 (Korean language, English translation: [Special Report] Thallium Group, Sued by US MS, Raises Threat of ‘Fake Striker’ APT Campaign Against South Korea)
• July 02, 2020 – IBM: Recent Activity from ITG16, a North Korean Threat Group
• June 30, 2020 – ESTsecurity: 김수키(탈륨) 조직, 코로나19 테마와 WSF 파일 기반 공격 주의 (Korean language, English translation: Kimsuky (Thallium) Organization, Beware of COVID-19 Theme and WSF File-Based Attacks)
• June 19, 2020 – ESTsecurity: 탈륨조직, 청와대 보안 이메일로 사칭한 APT 공격 수행 (Korean language, English translation: Thallium Organization Carries Out APT Attacks Impersonating Blue House Security Email)
• June 11, 2020 – ESTsecurity: 김수키(Kimsuky) APT 그룹, 과거 라자루스(Lazarus) doc 공격 방식 활용 (Korean language, English translation: Kimsuky APT group uses past Lazarus doc attack methods)
• June 02, 2020 – ESTsecurity: 김수키(Kimsuky) 그룹, HWP, DOC, EXE 복합적 APT 공격 작전 (Korean language, English translation: Kimsuky Group, HWP, DOC, EXE Complex APT Attack Operation)
• May 29, 2020 – ESTsecurity: '북한 내 코로나19 상황 인터뷰' 문건으로 사칭한 김수키 APT 공격 주의! (Korean language, English translation: Beware of KimsukyAPT attack disguised as 'Interview on COVID-19 situation in North Korea'!)
• May 27, 2020 – ESTsecurity: 핵 이슈를 다루는 학술 연구재단을 사칭한 Konni 조직의 새로운 APT 공격 (Korean language, English translation: New APT attack by Konni group impersonating academic research foundation dealing with nuclear issues)
• April 10, 2020 – ESTsecurity: 김수키(Kimsuky)조직, 21대 국회의원 선거문서로 사칭한 스모크 스크린 APT 공격 수행 (Korean language, English translation: Kimsuky Organization Conducts Smoke Screen APT Attack Disguised as 21st National Assembly Election Document)
• March 28, 2020 – ESTsecurity: '코로나19' 내용으로 가장한 김수키(Kimsuky) 조직의 스모크 스크린 APT 공격 주의! (Korean language, English translation: Beware of Smoke Screen APT Attacks by Kimsuky Organization Disguised as 'Corona 19' Content!)
• March 23, 2020 – ESTsecurity: 국방부 출신 이력서를 위장한 김수키(Kimsuky) 조직의 '블루 에스티메이트 Part7' APT 공격 주의 (Korean language, English translation: Beware of the 'Blue Estimate Part 7' APT attack by the Kimsuky organization disguised as a Ministry of National Defense resume)
• March 21, 2020 – ESTsecurity: 김수키(Kimsuky)조직, 코로나 바이러스 이슈를 악용하여 MacOS MS오피스 사용자를 타겟으로 진행중인 APT 공격 주의! (Korean language, English translation: Beware of APT attacks targeting MacOS MS Office users by the Kimsuky organization, exploiting the coronavirus issue!)
• March 09, 2020 – PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2 (Archive of dead link)
• March 02, 2020 – ESTsecurity: 이력서로 위장한 김수키(Kimsuky) 조직의 '블루 에스티메이트 Part5' APT 공격 주의 (Korean language, English translation: Beware of the 'Blue Estimate Part 5' APT attack by the Kimsuky organization disguised as a resume)
• February 18, 2020 – PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1 (Archive of dead link)
• February 06, 2020 – ESTsecurity: 김수키(Kimsuky) 조직, 실제 주민등록등본 파일로 둔갑한 '블루 에스티메이트 Part3' APT 공격 주의 (Korean language, English translation: Kimsuky Organization, Beware of 'Blue Estimate Part 3' APT Attack Disguised as Real Resident Registration Copy File)
• January 14, 2020 – ESTsecurity: ‘통일외교안보특보 발표문건’ 사칭 APT 공격… 김수키(Kimsuky) 조직 소행 (Korean language, English translation: APT attack impersonating ‘Unification, Foreign Affairs, and Security Special Advisor Announcement Document’… Kimsuky Organization’s work)

2019

• December 30, 2019 – Microsoft: Microsoft takes court action against fourth nation-state cybercrime group
• October 17, 2019 – ESTsecurity: 김수키(Kimsuky) 조직 소행 추정 ‘대북 분야 국책연구기관’ 사칭 스피어피싱 공격 발견 (Korean language, English translation: Spear phishing attack impersonating ‘national research institute in the North Korea field’ suspected to be by Kimsuky organization discovered)
• October 01, 2019 – ESTsecurity: 코니(Konni) APT 조직, HWP 취약점을 이용한 'Coin Plan' 작전 감행 (Korean language, English translation: Konni APT Group Conducts 'Coin Plan' Operation Using HWP Vulnerability)
• September 27, 2019 – ESTsecurity: 북한 파일명으로 보고된 Kimsuky 조직의 '스모크 스크린' PART 3 (Korean language, English translation: Kimsuky Organization's 'Smoke Screen' Reported by North Korean File Name PART 3)
• August 24, 2019 – ESTsecurity: 코니(Konni) APT 조직, 안드로이드 스파이 활동과 김수키 조직 유사성 분석 (Korean language, English translation: Analysis of Similarities Between Konni APT Organization, Android Spying Activities, and Kimsuky Organization)
• June 27, 2019 – ESTsecurity: 비트코인 1,500만원 돌파하면서 김수키(Kimsuky) APT 공격 중 (Korean language, English translation: Kimsuky APT Attack in Progress as Bitcoin Surpasses 15 Million Won)
• June 10, 2019 – ESTsecurity: [스페셜 리포트] APT 캠페인 'Konni' & 'Thallium(Kimsuky)' 조직의 공통점 발견 (Korean language, English translation: [Special Report] Commonalities Discovered Between APT Campaigns 'Konni' & 'Thallium (Kimsuky)' Organizations)
• May 28, 2019 – ESTsecurity:
  • 김수키 조직, 사이버 안전국 암호화폐 민원안내로 사칭해 APT 공격 수행 (Korean language, English translation: Kimsuky's organization impersonates the Cyber ​​Security Bureau's cryptocurrency civil affairs office to carry out APT attacks)
  • 김수키 조직, 한국 암호화폐 거래소 이벤트 사칭 APT 공격 발생 (Korean language, English translation: Kimsuky Organization, APT Attack Impersonating Korean Cryptocurrency Exchange Event)
• May 21, 2019 – ESTsecurity: 김수키(Kimsuky) 2차 북미정상회담 좌담회 사칭 APT 공격, '작전명 라운드 테이블' (Korean language, English translation: Kimsuky 2nd North American Summit Roundtable Discussion Impersonation APT Attack, 'Operation Name Roundtable')
• May 20, 2019 – ESTsecurity: 김수키 조직, 한국을 겨냥한 '페이크 스트라이커' APT 작전 개시 (Korean language, English translation: Kim Soo-ki Organization Launches 'Fake Striker' APT Operation Targeting Korea)
• May 13, 2019 – ESTsecurity: 암호화된 APT 공격, Kimsuky 조직의 '스모크 스크린' PART 2 (Korean language, English translation: Encrypted APT Attacks, Kimsuky Organization's 'Smoke Screen' PART 2)
• April 26, 2019 – Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
• April 17, 2019 – ESTsecurity: 한ㆍ미 겨냥 APT 캠페인 '스모크 스크린' Kimsuky 실체 공개 (아웃소싱 공격) (Korean language, English translation: APT campaign targeting Korea and the US 'Smoke Screen' Kimsuky's true identity revealed (outsourcing attack))
• April 03, 2019 – ESTsecurity: 김수키(Kimsuky) 조직, 스텔스 파워(Operation Stealth Power) 침묵 작전 (Korean language, English translation: Kimsuky Organization, Operation Stealth Power Silence Operation)
• February 22, 2019 – Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks

2018

• June 19, 2018 – ESTsecurity: 김수키(Kimsuky) APT조직, 미북 정상회담 전망 및 대비 문서로 공격 (Korean language, English translation: Kimsuky APT Organization Attacks with Documents on US-North Korea Summit Outlook and Preparation)
• May 28, 2018 – ESTsecurity: 판문점 선언 관련 내용의 문서로 수행된 '작전명 원제로(Operation Onezero)' APT 공격 분석 (Korean language, English translation: Analysis of APT attack 'Operation Onezero' conducted with documents related to the Panmunjom Declaration)
• April 19, 2018 – ESTsecurity: 2010년 해외 대상 APT 공격자, 오퍼레이션 베이비 코인(Operation Baby Coin)으로 한국 귀환 (Korean language, English translation: 2010 Overseas APT Attacker Returns to Korea with Operation Baby Coin)
• February 12, 2018 – ESTsecurity: 오퍼레이션 김수키(Kimsuky)의 은밀한 활동, 한국 맞춤형 APT 공격은 현재 진행형 (Korean language, English translation: Operation Kimsuky's covert activities, Korea-tailored APT attacks are currently ongoing)
• February 02, 2018 – McAfee: Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

2013

• September 11, 2013 – Kaspersky: The “Kimsuky” Operation: A North Korean APT?