March 18, 2024 at 08:10PM The Kimsuky-attributed campaign involves an eight-step process for compromising systems, starting with initial execution and culminating in establishing stealth and persistence by downloading additional code from Dropbox and executing it. Based on the meeting notes, it appears that the Kimsuky-attributed campaign involves eight steps to compromise systems. These steps include … Read more
March 18, 2024 at 02:33PM A new complex attack campaign, DEEP#GOSU, employing PowerShell and VBScript malware to infect Windows systems and gather sensitive information has been linked to the North Korean state-sponsored group Kimsuky. The campaign uses legitimate services like Dropbox and Google Docs for command-and-control, and has been observed using methods such as utilizing … Read more
March 5, 2024 at 03:02PM North Korean hackers exploit ConnectWise’s ScreenConnect software vulnerability with ToddleShark malware. Kimsuky, a DPRK-based APT, targets organizations using the CVE-2024-1709 bug. ToddleShark gathers system info and sends it to attacker-controlled servers via encrypted channels. It evades detection through randomization and junk code. Organizations are urged to patch their systems promptly. … Read more
March 5, 2024 at 09:39AM North Korean APT group Kimsuky exploits ScreenConnect flaws CVE-2024-1708 and CVE-2024-1709 to spread new malware variant ToddlerShark. The group uses legitimate Microsoft binaries, registry modifications, and scheduled tasks for persistent access and data exfiltration. ToddlerShark, a polymorphic malware, exhibits evasion techniques, making detection and analysis challenging. Kroll plans to share … Read more
March 4, 2024 at 05:44PM North Korean APT group Kimsuky is exploiting ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709 to distribute the new ToddleShark malware. This polymorphic variant aims for long-term espionage, using legitimate Microsoft tools and scheduled tasks for persistent access. Kroll’s upcoming report will share further details and indicators of compromise for ToddleShark. From the … Read more
December 29, 2023 at 04:36AM North Korean state actors are using spear-phishing attacks to distribute various malware and backdoors to infiltrate compromised systems. An advanced persistent threat group known as Kimsuky is responsible for the malicious activity, with a focus on targeting entities in South Korea and expanding globally. The group has been sanctioned by … Read more
December 1, 2023 at 04:08PM The US Treasury sanctioned North Korean cyberespionage group Kimsuky, hindering DPRK’s WMD program by disrupting revenue and intelligence gathering. Kimsuky, active since 2013, remains resilient despite sanctions from the US and allies. Greater awareness and cybersecurity are needed to combat North Korea’s cyber threats. Meeting Takeaways: 1. The US Department … Read more
December 1, 2023 at 03:48AM The U.S. Treasury sanctioned Kimsuky, a North Korea-linked cyber espionage group, and eight individuals for supporting DPRK’s WMD programs and evading sanctions. Kimsuky, active since 2012, targets governments and organizations mainly for intelligence relevant to North Korea’s interests and missile technology. **Takeaways from the Meeting:** 1. The U.S. Department of … Read more
November 30, 2023 at 05:18PM OFAC sanctioned the Kimsuky hacking group and eight North Korean agents for espionage and aiding DPRK’s WMD programs, responding to DPRK’s satellite launch. Kimsuky has expanded from South Korea to global targets, engaging in cyberattacks to support DPRK’s nuclear ambitions. Previous sanctions targeted DPRK groups for cyber theft funding the … Read more
October 18, 2023 at 12:15PM North Korea’s Kimsuky cyber threat group has been found to be using Remote Desktop Protocol (RDP) and other tools to remotely take over targeted systems. The group has also been leveraging open source software such as TightVNC and Chrome Remote Desktop. Kimsuky continues to use spear phishing as its initial … Read more