S0526: KGH_SPY
Analyst context for executives and security teams
KGH_SPY matters because ATT&CK describes it as a Windows-focused modular tool suite with reconnaissance, information-stealing, backdoor, credential-access, collection, and exfiltration behaviors. For leaders, the key issue is not the malware name alone; it is whether endpoint, identity, email, and network teams can prove they would see a Windows host moving from user-executed file to discovery, credential collection, local data staging, and outbound web-based command-and-control/exfiltration activity.
Executive priority
Prioritize this as a readiness check for espionage-style intrusion response: sensitive email, browser-stored credentials, Windows Credential Manager data, and local files are all in scope based on mapped ATT&CK relationships. Executives should ask whether SOC coverage, incident response playbooks, and audit evidence can show monitoring for credential theft, local email collection, persistence via Windows logon scripts, and outbound data movement over common web protocols.
Technical view
ATT&CK provides no official detection text for KGH_SPY, so coverage should be validated behaviorally against its mapped techniques on Windows. Focus on malicious file execution, PowerShell and cmd execution, file/directory/software/storage discovery, access to local email and credential stores, encoded or decoded artifacts, local data staging, ingress tool transfer, logon script persistence via HKCU\Environment\UserInitMprLogonScript, and C2/exfiltration over web protocols. Relationship context states Kimsuky uses this malware; use that as threat-intelligence context, not as proof of local exposure.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell and Windows Command Shell
- PowerShell logging where enabled, including script/module activity relevant to execution and decoding
- Windows Registry monitoring for logon script persistence paths such as HKCU\Environment\UserInitMprLogonScript
- File telemetry for creation, rename, staging directories, encoded/encrypted files, and access to sensitive local files
- Access events involving browser credential stores, Windows Credential Manager-related locations, and local Outlook/email data stores
Detection direction
- Build detections around technique chains rather than the malware name: user-opened file followed by PowerShell/cmd, discovery, credential-store access, staging, and outbound web traffic is more useful than a single signature.
- Tune for legitimate administrator and software-management activity, especially PowerShell/cmd, software discovery, and file enumeration, to avoid excessive false positives.
- Validate visibility into local credential and email collection behaviors; many environments log process execution but not sensitive file access well enough for investigation.
- Monitor logon script registry changes and correlate them with unusual parent processes or newly introduced files.
- Inspect outbound web traffic patterns for unusual destinations, timing, volume, or host/process correlation, recognizing that ATT&CK notes use of web protocols can blend with normal traffic.
Mitigation priorities
- Reduce user-executed malicious file risk through attachment handling, safe document controls, and user reporting workflows.
- Harden and monitor PowerShell and cmd usage with least privilege, script control, and centralized logging appropriate to the environment.
- Protect credential stores by limiting local credential retention where practical and enforcing credential hygiene, privileged access controls, and rapid credential reset procedures during IR.
- Monitor and restrict persistence mechanisms such as Windows logon scripts, especially user-writable registry locations.
- Apply egress controls and proxy logging for outbound web protocols so C2, tool transfer, and exfiltration investigations have evidence.
Analyst notes and limits
The supplied ATT&CK object identifies KGH_SPY as a modular suite used by Kimsuky and maps it to multiple discovery, collection, credential-access, execution, persistence, command-and-control, and exfiltration techniques. The most defensible Glexia position is to use it as a validation scenario for Windows endpoint and network monitoring, especially around sensitive local data and credentials.
No official ATT&CK detection text, aliases, labels, or malware-level tactics were supplied. The assessment is limited to the official description, external reference, and provided relationships. Local exposure, exploitability, detection coverage, and business impact require environment-specific telemetry and asset context.
KGH_SPY
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | KGH_SPY has masqueraded as a legitimate Windows tool.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | KGH_SPY has the ability to set a Registry key to run a cmd.exe command.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | KGH_SPY has been spread through Word documents containing malicious macros.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | KGH_SPY has the ability to set the |
| Enterprise | T1105 | Ingress Tool Transfer | KGH_SPY has the ability to download and execute code from remote servers.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | KGH_SPY can send data to C2 with HTTP POST requests.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | KGH_SPY can harvest data from mail clients.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1083 | File and Directory Discovery | KGH_SPY can enumerate files and directories on a compromised host.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | KGH_SPY can exfiltrate collected information from the host to the C2 server.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | KGH_SPY has used encrypted strings in its installer.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | KGH_SPY can execute PowerShell commands on the victim's machine.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | KGH_SPY can collect credentials from the Windows Credential Manager.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | KGH_SPY can save collected system information to a file named "info" before exfiltration.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1518 | Software Discovery | KGH_SPY can collect information on installed applications.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1680 | Local Storage Discovery | KGH_SPY can collect drive information from a compromised host.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1005 | Data from Local System | KGH_SPY can send a file containing victim system information to C2.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | KGH_SPY can perform keylogging by polling the |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | KGH_SPY can decrypt encrypted strings and write them to a newly created folder.CitationCybereason Kimsuky November 2020 |
| Enterprise | T1555 | Credentials from Password Stores | KGH_SPY can collect credentials from WINSCP.CitationCybereason Kimsuky November 2020 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3aea1d055ac1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Kimsuky November 2020
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
Open source URL -
[2]
mitre-attack S0526Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.