#kimsuky — Public Fediverse posts

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

📬 Zehntausende ASUS-Router sind unter fremder Kontrolle
#Cyberangriffe #ITSicherheit #AiCloud #AsusRouter #AyySSHush #Kimsuky #Lazarus #ORBKnoten #WrtHug https://sc.tarnkappe.info/90a693

Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ #ScamsandFraud #Cybersecurity #GoogleFundHub #CyberAttack #NorthKorea #SouthKorea #KakaoTalk #Security #Android #Malware #Kimsuky #APT37 #Konni

South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.

The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.

Google has confirmed this and advises enabling 2-Step Verification or passkeys.

Credential security remains the weakest link in most modern attacks.

#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu

South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.

The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.

Google has confirmed this and advises enabling 2-Step Verification or passkeys.

Credential security remains the weakest link in most modern attacks.

#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu

South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.

The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.

Google has confirmed this and advises enabling 2-Step Verification or passkeys.

Credential security remains the weakest link in most modern attacks.

#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu

How the "Kim" dump exposed North Korea's credential theft playbook

https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/

#HackerNews #KimDump #NorthKorea #CredentialTheft #CyberSecurity #HackerNews #Kimsuky

🔥The "Kim" leak is an intelligence goldmine.

For analysts: We’ve got an unprecedented look into a DPRK threat actor's playbook. This isn't just about known tactics like credential theft and phishing. Our analysis shows a strategic pivot to include Taiwanese developer and government networks, revealing a clear geographical expansion of North Korea's cyber interests.

For defenders: We've mapped the full scope of this threat—from custom Linux rootkits to particular targets like PKI infrastructure and specific tools like NASM and ocrmypdf. Our report provides defensive recommendations and specific Indicators of Compromise (IOCs), so your team can detect and block this persistent, infrastructure-centric campaign.

Get the full technical breakdown and all the IOCs in our new post.

🔗https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/

#ThreatIntelligence #Cybersecurity #NationStateAPT #Kimsuky #ThreatAnalysis #DFIR #InfoSec

Haktywiści przejmują komputer hakera działającego na zlecenie rządu Korei Północnej. Kulisy działania północnokoreańskich grup APT

Na początku 2025 r. dwóch hakerów posługujących się pseudonimami “Saber” oraz “cyb0rg” (ich tożsamość nie jest znana) uzyskali dostęp do infrastruktury, wyróżniającej się nietypowym zestawem narzędzi hakerskich. Postanowili dokładnie przeanalizować zawartość systemu oraz śledzić działania hakera, w celu ustalenia jak najwięcej szczegółów dotyczących jego aktywności. TLDR: Jak to wszystko się...

#WBiegu #Apt43 #Awareness #Chiny #Haktywizm #Kimsuky #Korea #Szpiegostwo

https://sekurak.pl/haktywisci-przejmuja-komputer-hakera-dzialajacego-na-zlecenie-rzadu-korei-polnocnej-kulisy-dzialania-polnocnokoreanskich-grup-apt/

The #Kimsuky divergences in #ToyBox append a new command category in toys/android/ with the following options:

- getenforce / setenforce -> Query and modify SELinux enforcement
- restorecon / runcon -> Reset or run processes under SELinux contexts
- sendevent -> Generate low-level input events (touch/keys)
- log, logwrapper -> Interface with Android’s logging system
- load_policy -> Load SELinux policies

Also include GN/Ninja integration (Google’s build system) for AOSP devices.

My guess is most likely used in their Android malware development

Hakerzy z Korei Północnej prowadzą nową kampanię cyber szpiegowską. Na celowniku placówki dyplomatyczne

Badacze z Trelix Advanced Research Center wykryli nową kampanię cyber szpiegowską wymierzoną w placówki dyplomatyczne w różnych regionach Korei Południowej. Od marca do lipca bieżącego roku zaobserwowano ponad 19 ataków spear-phishingowych, której celem były ambasady dyplomatyczne zlokalizowane na całym świecie. Za atakiem stoi prawdopodobnie ta sama grupa APT. Treści wiadomości...

#WBiegu #Apt #Apt43 #Awareness #Chiny #Github #Kimsuky #Korea #Szpiegowstwo #Xenorat

https://sekurak.pl/hakerzy-z-korei-polnocnej-prowadza-nowa-kampanie-cyber-szpiegowska-na-celowniku-placowki-dyplomatyczne/

Hackers Leak 9GB of Data from Alleged North Korean Hacker’s Computer – Source:hackread.com https://ciso2ciso.com/hackers-leak-9gb-of-data-from-alleged-north-korean-hackers-computer-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #HackingNews #DDoSecrets #NorthKorea #Hackread #security #Kimsuky #cyb0rg #defcon #Phrack #Saber

Hackers Leak 9GB of Data from Alleged North Korean Hacker’s Computer https://hackread.com/hackers-leak-9gb-data-north-korean-hacker-computer/ #Cybersecurity #HackingNews #CyberAttack #DDoSecrets #NorthKorea #Security #Kimsuky #cyb0rg #defcon #Phrack #Saber

#Kimsuky C2 retailparkderventa[.]com (91[.]234[.]46[.]31) used in active ZIP+LNK+AutoIt campaign. Payloads are fetched via renamed curl.exe with basic header filtering to evade standard tools. The .lnk file contains an XOR-obfuscated decoy .hwp at offset 0x17C2. Short-lived, minimal C2 infrastructure consistent with DPRK TTPs. Targeting NGOs. #APT43 #ThreatIntel

Severokorejská skupina Kimsuky rozesílá phishing z ruských domén

🔗 https://infoek.cz/severokorejska-skupina-kimsuky-rozesila-phishing-z-ruskych-domen-2024/

#Kimsuky #NorthKorea #PRK #cybersecurity

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

North Korea Hackers Linked to Breach of German Missile Manufacturer https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/ #Nation-State #DiehlDefence #NorthKorea #Phishing #Mandiant #Kimsuky #APT43

📬 Cyber-Angriff auf Diehl Defence: Hacker nehmen deutsche Militärtechnik ins Visier
#Cyberangriffe #ITSicherheit #APT43 #CyberAngriff #DiehlDefence #Kimsuky #Nordkorea #Spionagesoftware https://sc.tarnkappe.info/5e34ea

📬 Cyber-Angriff auf Diehl Defence: Hacker nehmen deutsche Militärtechnik ins Visier
#Cyberangriffe #ITSicherheit #APT43 #CyberAngriff #DiehlDefence #Kimsuky #Nordkorea #Spionagesoftware https://sc.tarnkappe.info/5e34ea

📬 Cyber-Angriff auf Diehl Defence: Hacker nehmen deutsche Militärtechnik ins Visier
#Cyberangriffe #ITSicherheit #APT43 #CyberAngriff #DiehlDefence #Kimsuky #Nordkorea #Spionagesoftware https://sc.tarnkappe.info/5e34ea

📬 Cyber-Angriff auf Diehl Defence: Hacker nehmen deutsche Militärtechnik ins Visier
#Cyberangriffe #ITSicherheit #APT43 #CyberAngriff #DiehlDefence #Kimsuky #Nordkorea #Spionagesoftware https://sc.tarnkappe.info/5e34ea

📬 Cyber-Angriff auf Diehl Defence: Hacker nehmen deutsche Militärtechnik ins Visier
#Cyberangriffe #ITSicherheit #APT43 #CyberAngriff #DiehlDefence #Kimsuky #Nordkorea #Spionagesoftware https://sc.tarnkappe.info/5e34ea

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks – Source:thehackernews.com https://ciso2ciso.com/kimsuky-apt-deploying-linux-backdoor-gomir-in-south-korean-cyber-attacks-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Deploying #Kimsuky

North Korean hackers deploy ‘Durian’ malware, targeting crypto firms - The state-backed North Korean hacking group Kimsuky reportedly used a ne... - https://cointelegraph.com/news/north-korean-hackers-deploy-durian-malware-targeting-south-korean-crypto-firms #northkoreahackers #northkoreacrypto #cryptohackers #lazarusgroup #cryptohacks #kimsuky

APT trends report Q1 2024 – Source: securelist.com https://ciso2ciso.com/apt-trends-report-q1-2024-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #cyberespionage #MobileMalware #securelistcom #Hacktivists #APTreports #backdoor #Kimsuky #Trojan #APT

Happy Monday everyone! I hope everyone is doing well!

Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

Kimsuky executes espionage campaigns through spear-phishing attacks, using malicious lure documents that, when opened, lead to the deployment of various malware families.

#Cybersecurity #HackerGroup #NorthKorea #Malware #Kimsuky

https://cybersec84.wordpress.com/2023/12/30/north-koreas-kimsuky-hackers-utilize-advanced-malware-arsenal-in-latest-strikes/

Обнаружено новое шпионское ПО, используемое северокорейскими хакерами из Kimsuky #Kimsuky, #Cybereason, #APT, #KGH_SPY https://www.securitylab.ru/news/513733.php https://twitter.com/SecurityLabnews/status/1323527845881282560/photo/1