Preliminary File List Analysis of Kimsuky / APT43 Leak
Contents
Preliminary File List Analysis of Kimsuky / APT43 Leak
Disclaimer
IMPORTANT: This document contains real IP addresses, domains, and technical indicators related to malicious activity. This information is provided for research, defensive, and educational purposes only. Readers are strongly encouraged to use this information responsibly and ethically. Do not attempt to access, scan, or interact with any of the mentioned infrastructure without proper authorization. Misuse of this information could potentially violate laws and regulations in various jurisdictions.
Executive Summary
This technical brief is related to the “APT Down — The North Korea Files” published on Phrack Magazine Issue 72. Our analysis focuses exclusively on the bash history, user history, Chrome timeline history, and file/folder listings found within the file-lists_and_misc directory. The evidence suggests a sophisticated threat actor with advanced capabilities in malware development, network manipulation, and infrastructure setup. The actor demonstrates particular interest in Korean systems, specifically the Korean Government Public Key Infrastructure (GPKI), …
Disclaimer
IMPORTANT: This document contains real IP addresses, domains, and technical indicators related to malicious activity. This information is provided for research, defensive, and educational purposes only. Readers are strongly encouraged to use this information responsibly and ethically. Do not attempt to access, scan, or interact with any of the mentioned infrastructure without proper authorization. Misuse of this information could potentially violate laws and regulations in various jurisdictions.
Executive Summary
This technical brief is related to the “APT Down — The North Korea Files” published on Phrack Magazine Issue 72. Our analysis focuses exclusively on the bash history, user history, Chrome timeline history, and file/folder listings found within the file-lists_and_misc directory. The evidence suggests a sophisticated threat actor with advanced capabilities in malware development, network manipulation, and infrastructure setup. The actor demonstrates particular interest in Korean systems, specifically the Korean Government Public Key Infrastructure (GPKI), …
IoC
https://github.com/thefLink/Hunt-Sleeping-Beacons
https://github.com/qauzy/mat
https://github.com/th3k3ymak3r/minbeacon/
https://github.com/kyleavery/TitanLdr
https://github.com/SagerNet/sing-shadowtls
https://github.com/fin3ss3g0d/ASPJinjaObfuscator
https://github.com/Idov31/Nidhogg
https://github.com/landley/toybox
https://stackoverflow.com/questions/41124426/replace-part-of-a-url-with-htaccess
https://github.com/klezVirus/SilentMoonwalk
https://serverfault.com/questions/830965/htaccess-rules-to-modify-url-path
https://github.com/reveng007/DarkWidow.git
https://github.com/muraenateam/muraena
https://github.com/lijiejie/GitHack
https://github.com/nhpcc502/MBA-Obfuscator
https://github.com/YoruYagami/phevilyaml
https://github.com/J4mesF/ScanMe
https://github.com/realoriginal/ghost
https://sh.rustup.rs
https://github.com/RtlDallas/OdinLdr/
https://github.com/sensepost/reGeorg
https://github.com/xx0hcd/CobaltStrike-Auto-Keystore
https://github.com/fmelipin/DLL-Loader/
https://github.com/benheise/TitanLdr/
https://github.com/ihciah/shadow-tls
211.23.123.246
59.125.159.81
163.29.149.131
192.168.50.117
192.168.20.118
192.168.150.117
118.163.30.45
192.168.20.117
192.168.130.117
13.224.163.100
210.71.195.10
192.168.150.118
163.29.3.119
https://github.com/qauzy/mat
https://github.com/th3k3ymak3r/minbeacon/
https://github.com/kyleavery/TitanLdr
https://github.com/SagerNet/sing-shadowtls
https://github.com/fin3ss3g0d/ASPJinjaObfuscator
https://github.com/Idov31/Nidhogg
https://github.com/landley/toybox
https://stackoverflow.com/questions/41124426/replace-part-of-a-url-with-htaccess
https://github.com/klezVirus/SilentMoonwalk
https://serverfault.com/questions/830965/htaccess-rules-to-modify-url-path
https://github.com/reveng007/DarkWidow.git
https://github.com/muraenateam/muraena
https://github.com/lijiejie/GitHack
https://github.com/nhpcc502/MBA-Obfuscator
https://github.com/YoruYagami/phevilyaml
https://github.com/J4mesF/ScanMe
https://github.com/realoriginal/ghost
https://sh.rustup.rs
https://github.com/RtlDallas/OdinLdr/
https://github.com/sensepost/reGeorg
https://github.com/xx0hcd/CobaltStrike-Auto-Keystore
https://github.com/fmelipin/DLL-Loader/
https://github.com/benheise/TitanLdr/
https://github.com/ihciah/shadow-tls
211.23.123.246
59.125.159.81
163.29.149.131
192.168.50.117
192.168.20.118
192.168.150.117
118.163.30.45
192.168.20.117
192.168.130.117
13.224.163.100
210.71.195.10
192.168.150.118
163.29.3.119