Apt Down – The North Korea Files
13 hours ago
- #APT
- #Kimsuky
- #CyberEspionage
- APT Down - The North Korea Files article analyzes data from a North Korean APT's workstation, believed to be part of the Kimsuky group.
- The dump includes backdoors, tools, internal documentation, and evidence of cooperation with Chinese APTs.
- Kimsuky targets think tanks, industry, nuclear power operators, and government entities for espionage.
- The article is divided into three parts: dumps (log files, history files, password lists), backdoors and tools, and OSINT on the threat actor.
- Evidence shows attacks against The Defense Counterintelligence Command (DCC), South Korea Ministry of Foreign Affairs, and internal South Korean Gov network.
- Tools analyzed include Generator (phishing tool), TomCat remote Kernel Backdoor, Private Cobalt Strike Beacon, Android Toybox, Ivanti Control (RootRot-NG), Bushfire, and Spawn Chimera.
- The threat actor's origin IP was traced to Singapore, with operational relay boxes possibly in China and HK.
- Kimsuky's activities include spear-phishing campaigns, credential theft, and exploiting vulnerabilities like CVE-2025-0282, CVE-2025-0283, or CVE-2025-22457.
- The article highlights Kimsuky's strict office hours (09:00 to 17:00 Pyongyang time) and possible Chinese affiliation despite working for North Korea.
- Fun facts include failed domain purchases, sloppy domain usage, and visible email addresses in SOA records.