Tracking The Trackers Lessons From The Apt43 Kimsuky Takedown
Contents
Introduction
This technical analysis is derived from the groundbreaking “APT Down — The North Korea Files” published in Phrack Magazine Issue 72. Our security team gained unprecedented access to the actual infrastructure, logs, and code of Kimsuky/APT43, a North Korean state-sponsored threat actor, following a major takedown operation. This rare opportunity to analyze real attacker infrastructure has provided invaluable insights into their operations.
In today’s sophisticated threat landscape, attackers are increasingly using tracking pixels as part of their phishing campaigns to validate email addresses, track victim behavior, and enhance targeting. These invisible 1×1 pixel images can reveal when an email is opened, what device was used, and even approximate location data – all without the user’s knowledge or consent.
This blog post explores practical detection strategies for security teams based on our analysis of real-world attacks, including those attributed to Kimsuky/APT43, a North Korean threat actor known for their targeted phishing campaigns against …
This technical analysis is derived from the groundbreaking “APT Down — The North Korea Files” published in Phrack Magazine Issue 72. Our security team gained unprecedented access to the actual infrastructure, logs, and code of Kimsuky/APT43, a North Korean state-sponsored threat actor, following a major takedown operation. This rare opportunity to analyze real attacker infrastructure has provided invaluable insights into their operations.
In today’s sophisticated threat landscape, attackers are increasingly using tracking pixels as part of their phishing campaigns to validate email addresses, track victim behavior, and enhance targeting. These invisible 1×1 pixel images can reveal when an email is opened, what device was used, and even approximate location data – all without the user’s knowledge or consent.
This blog post explores practical detection strategies for security teams based on our analysis of real-world attacks, including those attributed to Kimsuky/APT43, a North Korean threat actor known for their targeted phishing campaigns against …
IoC
https://tracking-domain.com/request.php?i=ZW1haWxAZXhhbXBsZS5jb20=&c=campaign123&dot.png
https://tracking-domain.com/pixel.gif?i=ZW1haWxAZXhhbXBsZS5jb20=
https://tracking-domain.com/pixel.gif?i=base64encodeddata
https://track.hubspot.com/__t.gif?tid=12345&rid=abcdhttps://[new-domain]/request.php?i=base64email&dot.pngRequest
https://tracking-domain.com/pixel.gif?i=ZW1haWxAZXhhbXBsZS5jb20=
https://tracking-domain.com/pixel.gif?i=base64encodeddata
https://track.hubspot.com/__t.gif?tid=12345&rid=abcdhttps://[new-domain]/request.php?i=base64email&dot.pngRequest