^[2][3]

^[11][12][3]

^[13][6]

^[2][3][5][6]

^[5][6]

^[6]

^[14]

Kimsuky has added accounts to specific groups withnet localgroup.^[15]

Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.^[5]

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.^{[12][16][4][2][3][15][5][17]}

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.^[15]

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.^[18]Kimsuky has also leveraged Dropbox for hosting payloads and uploading victim system information.^[19]

Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.^[4]

Kimsuky has used HTTP GET and POST requests for C2.^[18]

Kimsuky has used FTP to download additional malware to the target machine.^[20]

Kimsuky has used e-mail to send exfiltrated data to C2 servers.^[4]

Kimsuky has used QuickZip to archive stolen files before exfiltration.^[18]

Kimsuky has used RC4 encryption before exfil.^[21]

Kimsuky has placed scripts in the startup folder for persistence and modified theHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key.^{[21][4][22][18][15]}

Kimsuky has the ability to use form-grabbing to extract emails and passwords from web data forms.^[23]

Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.^{[1][4][18][15][5]}Kimsuky has also utilized PowerShell scripts for execution, persistence, and defense evasion.^[19]

Kimsuky has executed Windows commands by usingcmd and running batch scripts.^[18][15]

Kimsuky has used Visual Basic to download malicious payloads.^{[12][20][22][18]}Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.^[18]

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.^[4][15]

Kimsuky has used JScript for logging and downloading additional tools.^[20][4]Kimsuky has usedTRANSLATEXT, which contained four Javascript files for bypassing defenses, collecting sensitive information and screenshots, and exfiltrating data.^[23]

Kimsuky has compromised email accounts to send spearphishing e-mails.^[20][3]

Kimsuky has compromised legitimate sites and used them to distribute malware.^[15][5][17]

Kimsuky has created accounts withnet user.^[15]

Kimsuky has created new services for persistence.^[21][4]

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.^{[11][4][7][18]}

Kimsuky has collected Office, PDF, and HWP documents from its victims.^[21][18]

Kimsuky has staged collected data files underC:\Program Files\Common Files\System\Ole DB\.^[4][18]

Kimsuky has decoded malicious VBScripts using Base64.^[18]Kimsuky has also decoded malicious PowerShell scripts using Base64.^[19]

Kimsuky created and used a mailing toolkit to use in spearphishing attacks.^[20]

Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.^[15][18][5]

Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.^[15]

Kimsuky has set auto-forward rules on victim's e-mail accounts.^[4]

Kimsuky has leveraged stolen PII to create accounts.^[17]

Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.^[15]

Kimsuky has created email accounts for phishing operations.^[15][5][6]

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.^[21]

Kimsuky has exfiltrated data over its C2 channel.^[21][18]

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.^[18]Kimsuky has also leveraged Dropbox for uploading victim system information.^[19]

Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.^[15]

Kimsuky has used RDP to establish persistence.^[4]

Kimsuky has the ability to enumerate all files and directories on an infected system.^[21][18][15]

Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.^[5][17]

Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.^[3][6][17]

Kimsuky has collected victim employee name information.^[15]

Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.^[15]Kimsuky has also used large language models (LLMs) to gather information about potential targets of interest.^[10]

Kimsuky has runreg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.^[15]

Kimsuky has used an information gathering module that will hide an AV software window from the victim.^[18]Kimsuky has also been known to use-WindowStyle Hidden to conceal PowerShell windows.^[19]

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.^[21][18]

Kimsuky has been observed disabling the system firewall.^[21]

Kimsuky has impersonated academic institutions and NGOs in order to gain information related to North Korea.^[10]

Kimsuky has deleted the exfiltrated data on disk after transmission.Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.^[21][18][15]Kimsuky has deleted files using theRemove-Item PowerShell commandlet to remove traces of executed payloads.^[19]

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.^[2]

Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.^[18][22][19]

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.^{[1][21][4][7][18][15]}

Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.^[15]

Kimsuky has enumerated drives.^[21][18]

Kimsuky has disguised services to appear as benign software or related to operating system functions.^[4][19]

Kimsuky has renamed malware to legitimate names such asESTCommon.dll orpatch.dll.^[24]Kimsuky has also disguised payloads using legitimate file names including a PowerShell payload named chrome.ps1.^[19]

Kimsuky has used an additional filename extension to hide the true file type.Kimsuky has also masqueraded malicious LNK files as PDF objects using the double extension .pdf.lnk.^[19]

Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.^{[4][22][18][15]}

Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.^[15]

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.^[4][7]

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.^[12][20]Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.^[18]

Kimsuky has performed padding of PowerShell command line code with over 100 spaces.^[19]

Kimsuky has packed malware with UPX.^[3]

Kimsuky has encoded malicious PowerShell scripts using Base64.^[19]

Kimsuky has used the LNK icon location to execute malicious scripts.Kimsuky has also padded the LNK target field properties with extra spaces to obscure the script.^[19]

Kimsuky has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.^[19]

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew,Mimikatz, andPsExec.^[7][18][5]

Kimsuky has stolen a valid certificate that is used to sign the malware and the dropper.^[25]

Kimsuky has obtained exploit code for various CVEs.^[15]

Kimsuky has gathered credentials usingMimikatz and ProcDump.^[4][7][15]

Kimsuky has used spearphishing to gain initial access and intelligence.^[10][17]

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.^{[11][21][12][20][2][3][18][15]}Kimsuky has also distributed emails with attached compressed zip files that contained malicious .LNK files masquerading as legitimate files.^[19]

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.^[1][7][15]

Kimsuky has used tailored spearphishing emails to gather victim information including contat lists to identify additional targets.^[5]

Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.^{[20][3][15][6]}

Kimsuky can gather a list of all processes running on a victim's machine.^[18]Kimsuky has also obtained running processes on the victim device utilizing PowerShell cmdletGet-Process.^[19]

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.^[21]

Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.^[18]

Kimsuky has obtained specific Registry keys and values on a compromised host.^[18]

Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.^[5]Kimsuky has also used reflective loading through .NET assembly using[System.Reflection.Assembly]::Load.^[19]

Kimsuky has used a modified TeamViewer client as a command and control channel.^[21][22]

Kimsuky has used RDP for direct remote point-and-click access.^[7]

Kimsuky has downloaded additional malware with scheduled tasks.^[15]Kimsuky has established persistence by creating a scheduled task named "ChromeUpdateTaskMachine" through the PowerShell cmdletRegister-ScheduleTask which was set to execute another PowerShell script once, then five minutes after its creation and periodically repeat every 30 minutes.^[19]

Kimsuky has captured browser screenshots usingTRANSLATEXT.^[23]

Kimsuky has used LLMs to better understand publicly reported vulnerabilities.^[10][26]

Kimsuky has used LLMs to identify think tanks, government organizations, etc. that have information.^[10]

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.^[3]

Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.^[15]

Kimsuky has searched for information on the target company's website.^[15]

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.^[4]

Kimsuky has checked for the presence of antivirus software withpowershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.^[15]Kimsuky has also obtained details on antivirus software through WMI queries usingWin32_OperatingSystem andSecurityCenter2.AntiVirusProduct.^[19]

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.^[11][7]

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.^[18][5][17]Kimsuky has also hosted malicious payloads on Dropbox.^[19]

Kimsuky has used malware, such asTRANSLATEXT, to steal and exfiltrate browser cookies.^[23][25]

Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.^[12][25]

Kimsuky has used mshta.exe to run malicious scripts on the system.^{[1][4][22][15]}

Kimsuky has executed malware withregsvr32s.^[15]

Kimsuky has usedrundll32.exe to execute malicious scripts and malware on a victim's network.^[18]

Kimsuky has enumerated OS type, OS version, and other information using a script or the "systeminfo" command.^[21][18]Kimsuky has also obtained system information such as OS type, OS version, and system type through querying various Windows Management Instrumentation (WMI) classes includingWin32_OperatingSystem.^[19]

Kimsuky has usedipconfig/all and web beacons sent via email to gather network configuration information.^[18][6]Kimsuky has also identified Host IP addresses leveraging the WMI classWin32_NetworkAdapterConfiguration.^[19]

Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.^[18]

Kimsuky has usedTRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.^[23]

Kimsuky has used tools that are capable of obtaining credentials from saved mail.^[7]

Kimsuky has used pass the hash for authentication to remote access software used in C2.^[4]

Kimsuky has lured victims into clicking malicious links.^[15]

Kimsuky has attempted to lure victims into opening malicious e-mail attachments.^{[12][20][4][2][3][18]}Kimsuky has also lured victims with tailored filenames and fake extensions that entice victims to open LNK files.^[19]

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.^[7]

Kimsuky has usedTRANSLATEXT and a dead drop resolver to retrieve configurations and commands from a public blog site.^[23]

Kimsuky has used Blogspot pages and a Github repository for C2.^[18][23]Kimsuky has also leveraged Dropbox for downloading payloads and uploading victim system information.^[19]