MoonPeaking Into Kimsuky Operations
Contents
The DPRK Deck of Cards
North Korea’s cyber espionage game is ramping up and it’s getting harder to tell where one APT group ends and another begins. In our latest breakdown, we take a deep look into the Kimsuky threat actor and their ever-expanding infrastructure, using fresh data tied to MoonPeak, a XenoRAT adaptation previously revealed by Cisco Talos.
The research expands well beyond Talos’ findings, offering a broader view of how Kimsuky intersects with Lazarus Group and BlueNoroff, blurring attribution lines through shared hosting patterns, reused codebases, and consistent tech stacks. Using response hashes as breadcrumbs, the report uncovers dozens of C2 servers spread across strategically important IP netblocks — each packed with domains crafted to impersonate everything from South Korean public services to Western corporations.
What’s particularly compelling is the strategic overlap seen in hosting behavior. Infrastructure initially attributed to Kimsuky is found neighboring known Lazarus domains which is a sign …
North Korea’s cyber espionage game is ramping up and it’s getting harder to tell where one APT group ends and another begins. In our latest breakdown, we take a deep look into the Kimsuky threat actor and their ever-expanding infrastructure, using fresh data tied to MoonPeak, a XenoRAT adaptation previously revealed by Cisco Talos.
The research expands well beyond Talos’ findings, offering a broader view of how Kimsuky intersects with Lazarus Group and BlueNoroff, blurring attribution lines through shared hosting patterns, reused codebases, and consistent tech stacks. Using response hashes as breadcrumbs, the report uncovers dozens of C2 servers spread across strategically important IP netblocks — each packed with domains crafted to impersonate everything from South Korean public services to Western corporations.
What’s particularly compelling is the strategic overlap seen in hosting behavior. Infrastructure initially attributed to Kimsuky is found neighboring known Lazarus domains which is a sign …