Kimsuky's Phishing and Payload Tactics
Contents
W H I T E PA P E R
Kimsuky’s Phishing and
Payload Tactics
Matthew Green - Principal Threat Analyst
Natalie Zargarov - Senior Security Researcher
Anna Širokova - Security Researcher, Threat Analytics
Contents
Executive Summary
3
Delivery
4
Payloads
7
Conclusion
16
References
17
2
Executive Summary
The purpose of this white paper is to detail the tactics of the APT Group known as
Kimsuky. In particular, it details their capabilities related to targeting organizations,
and their payload tactics. Within this paper we will outline the lures used in active
campaigns, as well as emerging payload tactics that we have observed. All TTPs
detailed within this white paper are incorporated into detection coverage across
the Rapid7 portfolio, as detailed within the final section.
Kimsuky operates under the administrative control of a unit within North Korea’s
Reconnaissance General Bureau (RGB). The RGB oversees this network of cyber
operatives and their activities. The data stolen by Kimsuky is shared with other
North Korean cyber actors to further the RGB’s objectives.[source]
Kimsuky is an extremely active threat actor that …
Kimsuky’s Phishing and
Payload Tactics
Matthew Green - Principal Threat Analyst
Natalie Zargarov - Senior Security Researcher
Anna Širokova - Security Researcher, Threat Analytics
Contents
Executive Summary
3
Delivery
4
Payloads
7
Conclusion
16
References
17
2
Executive Summary
The purpose of this white paper is to detail the tactics of the APT Group known as
Kimsuky. In particular, it details their capabilities related to targeting organizations,
and their payload tactics. Within this paper we will outline the lures used in active
campaigns, as well as emerging payload tactics that we have observed. All TTPs
detailed within this white paper are incorporated into detection coverage across
the Rapid7 portfolio, as detailed within the final section.
Kimsuky operates under the administrative control of a unit within North Korea’s
Reconnaissance General Bureau (RGB). The RGB oversees this network of cyber
operatives and their activities. The data stolen by Kimsuky is shared with other
North Korean cyber actors to further the RGB’s objectives.[source]
Kimsuky is an extremely active threat actor that …