Kimsuky / Velvet Chollima (also known as Velvet Chollima, Thallium, Black Banshee, TA406) is a state-sponsored advanced persistent threat group attributed to North Korea (RGB), active since 2012. The group primarily targets South Korean government, think tanks, academia, media sectors. It is tracked by MITRE ATT&CK as G0094.
Overview & Attribution
North Korean intelligence-gathering APT specializing in social engineering against South Korean policy experts, defectors, and academics with credential harvesting and custom backdoors.
Kimsuky has been active since 2012, attributed to North Korea (RGB). The group is known for targeting South Korean government, think tanks, academia, media using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: North Korea (RGB)
- Active since: 2012
- Primary targets: South Korean government, think tanks, academia, media
- Also known as: Velvet Chollima, Thallium, Black Banshee, TA406
Arsenal & Tools
Kimsuky employs a diverse arsenal of custom and shared tooling:
- BabyShark: Custom/shared tooling used in operations
- AppleSeed: Custom/shared tooling used in operations
- FlowerPower: Custom/shared tooling used in operations
- RandomQuery: Custom/shared tooling used in operations
- ReconShark: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on South Korean government, think tanks, academia, media sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Kimsuky is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Highly targeted spearphishing |
| Initial Access | T1566.002 Phishing Link | Credential harvesting pages |
| Execution | T1059.001 PowerShell | PowerShell-based implants |
| Persistence | T1547.001 Registry Run Keys | Registry persistence |
| Credential Access | T1056.001 Keylogging | Keystroke capture |
| C2 | T1102 Web Service | Cloud service C2 |
Notable Campaigns
Kimsuky has been linked to multiple significant campaigns targeting South Korean government, think tanks, academia, media organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Kimsuky IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with BabyShark and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Kimsuky TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Kimsuky
Mjolnir Security provides specialized capabilities to detect and respond to Kimsuky operations.
- APT Threat Hunting Proactive hunting for Kimsuky TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Kimsuky campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts