G0094: Kimsuky

Kimsuky has utilized the Sleep function to ensure execution of scripts.CitationGen Digital Kimsuky HTTPTroy October 2025CitationAryaka Kimsuky July 2025

Kimsuky has collected Office, PDF, and HWP documents from its victims.[11]CitationTalos Kimsuky Nov 2021 Kimsuky has also harvested victim files through the use of the `RecentFiles()` function that collects paths of recently accessed files by parsing .lnk shortcuts from `%APPDATA%\Microsoft\Windows\Recent`.CitationAryaka Kimsuky July 2025

Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.CitationKISA Operation MuzabiCitationTalos Kimsuky Nov 2021[5]

Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.[5]

Kimsuky has used RDP for direct remote point-and-click access.[7]

Kimsuky has created email accounts for phishing operations.CitationKISA Operation Muzabi[5][6]

Kimsuky has used spearphishing to gain initial access and intelligence.[10][5]

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.[11]CitationTalos Kimsuky Nov 2021

Kimsuky has used spearphishing attachments to entice victims into opening malicious files, including LNK files disguised with tailored filenames and fake extensions.[13]CitationVirusBulletin Kimsuky October 2019[4][2][3]CitationTalos Kimsuky Nov 2021CitationNaumaanProofpoint_GlobalClickFix_April2025 Kimsuky has also delivered malicious payloads within archive files (e.g., ZIP), which display decoy documents upon execution while running malicious code in the background.CitationGen Digital Kimsuky HTTPTroy October 2025

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[4][7]

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[1][7]CitationKISA Operation Muzabi

Kimsuky has collected credentials from a fake Google account login page.CitationFBI_KimsukyQR_Jan2026

Kimsuky has used malware, such as TRANSLATEXT, to steal and exfiltrate browser cookies.CitationZscaler Kimsuky TRANSLATEXTCitationS2W Troll Stealer 2024

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.[7]CitationTalos Kimsuky Nov 2021[5]

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[7]

Kimsuky has exfiltrated data to C2 servers using an automated script that executes every 10 minutes and after successful checks for the presence of pre-designated staged filenames.CitationAryaka Kimsuky July 2025

Kimsuky has decoded malicious VBScripts using Base64.CitationTalos Kimsuky Nov 2021 Kimsuky has also decoded malicious PowerShell scripts using Base64.CitationSecuronix Kimsuky February 2025CitationAryaka Kimsuky July 2025 Kimsuky has decoded RC4 obfuscated files prior to downloading files from their infrastructure.CitationAryaka Kimsuky July 2025

Kimsuky has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.CitationNaumaanProofpoint_GlobalClickFix_April2025

Kimsuky has encoded malicious PowerShell scripts using Base64.CitationSecuronix Kimsuky February 2025

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.CitationTalos Kimsuky Nov 2021[5] Kimsuky has also hosted malicious payloads on Dropbox.CitationSecuronix Kimsuky February 2025

Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.CitationTalos Kimsuky Nov 2021CitationCrowdstrike GTR2020 Mar 2020CitationSecuronix Kimsuky February 2025CitationAryaka Kimsuky July 2025

Kimsuky created and used a mailing toolkit to use in spearphishing attacks.CitationVirusBulletin Kimsuky October 2019

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.CitationTalos Kimsuky Nov 2021 Kimsuky has also leveraged Dropbox for uploading victim system information.CitationSecuronix Kimsuky February 2025

Kimsuky has used tailored spearphishing emails to gather victim information including contat lists to identify additional targets.[5]

Kimsuky has also impersonated legitimate people, such as a foreign advisor, an embassy employee, and a think tank employee.CitationFBI_KimsukyQR_Jan2026 Kimsuky has also purported to be a Japanese diplomat to communicate with the victims.CitationNaumaanProofpoint_GlobalClickFix_April2025

Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.[13]CitationS2W Troll Stealer 2024

Kimsuky has disguised services to appear as benign software or related to operating system functions.[4]CitationSecuronix Kimsuky February 2025

Kimsuky has the ability to steal data from the clipboard.CitationAryaka Kimsuky July 2025

Kimsuky has leveraged Component Object Model (COM) to create scheduled tasks to include using naming conventions that mimic legitimate applications.CitationGen Digital Kimsuky HTTPTroy October 2025 Kimsuky has leveraged obfuscation VBScript to form a string in `WScript.Shell` which has downloaded a malicious payload to the victim environment.CitationAryaka Kimsuky July 2025

Kimsuky has used Blogspot pages and a Github repository for C2.CitationTalos Kimsuky Nov 2021CitationZscaler Kimsuky TRANSLATEXT Kimsuky has also leveraged Dropbox for downloading payloads and uploading victim system information.CitationSecuronix Kimsuky February 2025

Kimsuky has disabled actively running virtual environments using the `KillMe` function to include VMware, Microsoft Hypervisors, and VirtualBox.CitationAryaka Kimsuky July 2025

Kimsuky has collected sensitive browser data using the function `GetBrowserData()` to include login credentials, bookmarks, cookies, and encryption keys.CitationAryaka Kimsuky July 2025

Kimsuky has lured victims into clicking malicious links.CitationKISA Operation Muzabi

Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.CitationKISA Operation Muzabi

Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.CitationKISA Operation Muzabi

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.[3]

Kimsuky has leveraged dynamic API resolution using custom hashing techniques.CitationGen Digital Kimsuky HTTPTroy October 2025

Kimsuky has obfuscated code within files by converting hexadecimal strings to decimal numbers using the `CLng function` in combination with processing arithmetic operations and leveraging the `Chr function` to generate readable characters.CitationAryaka Kimsuky July 2025 Kimsuky has also encoded files with Base64 and RC4.CitationAryaka Kimsuky July 2025 Kimsuky has utilized XOR and RC4 to encode malicious payloads.CitationGen Digital Kimsuky HTTPTroy October 2025

Kimsuky has leveraged stolen PII to create accounts.[5]

Kimsuky has collected victim employee name information.CitationKISA Operation Muzabi

Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.CitationTalos Kimsuky Nov 2021CitationAryaka Kimsuky July 2025

Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.CitationKISA Operation Muzabi

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[14][7]

Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.[11]CitationTalos Kimsuky Nov 2021CitationKISA Operation Muzabi Kimsuky has deleted files using the `Remove-Item` PowerShell commandlet to remove traces of executed payloads.CitationSecuronix Kimsuky February 2025 Kimsuky has also removed remnants of files used for delivery to include .log and .zip files.CitationAryaka Kimsuky July 2025

Kimsuky has used a modified TeamViewer client as a command and control channel.[11]CitationCrowdstrike GTR2020 Mar 2020

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.CitationKISA Operation Muzabi

Kimsuky has accessed a Local State files associated with Chromium-based browsers that contain the AES key used to encrypt passwords stored in the browser to include `app_bound_encrypted_key`.CitationAryaka Kimsuky July 2025

Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.[5] Kimsuky has also used reflective loading through .NET assembly using `[System.Reflection.Assembly]::Load`.CitationSecuronix Kimsuky February 2025

Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.CitationKISA Operation Muzabi

Kimsuky has searched for information on the target company's website.CitationKISA Operation Muzabi

Kimsuky has executed Windows commands by using `cmd` and running batch scripts.CitationTalos Kimsuky Nov 2021CitationKISA Operation Muzabi Kimsuky has also used `cmd.exe` to automatically open downloaded decoy pdf documents with the system’s default PDF viewer.CitationAryaka Kimsuky July 2025 Kimsuky has utilized malicious payloads to create reverse shells within the victim environment.CitationGen Digital Kimsuky HTTPTroy October 2025 Kimsuky has also used batch scripts to eventually run QuasarRAT.CitationNaumaanProofpoint_GlobalClickFix_April2025

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.[13]CitationZdnet Kimsuky Group September 2020[4][2][3]CitationKISA Operation Muzabi[5]

Kimsuky has obtained specific Registry keys and values on a compromised host.CitationTalos Kimsuky Nov 2021

Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.CitationKISA Operation Muzabi Kimsuky has also used large language models (LLMs) to gather information about potential targets of interest.[10]

Kimsuky has used HTTP GET and POST requests for C2.CitationTalos Kimsuky Nov 2021CitationAryaka Kimsuky July 2025

Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.CitationKISA Operation Muzabi

Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.[5]

Kimsuky has created accounts with net user.CitationKISA Operation Muzabi

Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.CitationTalos Kimsuky Nov 2021

Kimsuky has used Dynamic DNS (DDNS) services, such as FreeDNS or No-IP DDNS, to include servers located in South Korea.CitationNaumaanProofpoint_GlobalClickFix_April2025

Kimsuky has performed padding of PowerShell command line code with over 100 spaces.CitationSecuronix Kimsuky February 2025

Kimsuky has compromised email accounts to send spearphishing e-mails.CitationVirusBulletin Kimsuky October 2019[3]

Kimsuky has used RC4 encryption before exfil.[11]

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[2]

Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.CitationVirusBulletin Kimsuky October 2019[3]CitationKISA Operation Muzabi[6] Kimsuky has also utilized QR codes (also known as Quishing) to direct victims to malicious links through the reliance of a mobile device to scan a code with an embedded malicious URL.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationFBI_KimsukyQR_Jan2026

Kimsuky has used the LNK icon location to execute malicious scripts.CitationAryaka Kimsuky July 2025 Kimsuky has also padded the LNK target field properties with extra spaces to obscure the script.CitationSecuronix Kimsuky February 2025

Kimsuky has used LLMs to better understand publicly reported vulnerabilities.[10]CitationOpenAI-CTI

Kimsuky has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.CitationSecuronix Kimsuky February 2025

Kimsuky has used pass the hash for authentication to remote access software used in C2.[4]