North Korea-linked APT Kimsuky has been linked to a social engineering marketing campaign geared toward consultants in North Korean affairs.

SentinelLabs researchers uncovered a social engineering marketing campaign by the North Korea-linked APT group Kimsuky that’s focusing on consultants in North Korean affairs. The assaults are a part of a broader marketing campaign lately detailed in a joint advisory printed by US intelligence.

The marketing campaign has the target of stealing Google and subscription credentials of a good information and evaluation service specializing in North Korea, in addition to delivering reconnaissance malware.

Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first noticed by Kaspersky researcher in 2013. On the finish of October 2020, the US-CERT printed a report on Kimusky’s current actions that offered info on their TTPs and infrastructure.

The APT group primarily targets suppose tanks and organizations in South Korea, different victims had been in the US, Europe, and Russia.

Within the newest Kimsuky marketing campaign, the state-sponsored group targeted on nuclear agendas between China and North Korea, related to the continued warfare between Russia and Ukraine.

Menace actors interact in in depth e-mail correspondence with the victims and use spoofed URLs, web sites mimicking reliable net platforms, and weaponized paperwork.

The attackers had been noticed delivering the lately found reconnaissance software ReconShark malware.

The marketing campaign focuses on the theft of e-mail credentials and NK Information subscription credentials.

SentinelLabs attributes the marketing campaign to Kimsuky primarily based on the kind of malware used, the assault infrastructure, and TTPs.

“A trademark of the exercise we talk about on this submit is Kimsuky’s deal with establishing preliminary contact and growing a rapport with their targets previous to initiating malicious actions. As a part of their preliminary contact technique, the group impersonated Chad O’Carroll, the founding father of NK Information and the related holding firm Korea Danger Group, utilizing an attacker-created area, nknews[.]professional, which intently resembles the reliable NK Information area” reads the report printed by SentinelOne “The preliminary e-mail requests the evaluate of a draft article analyzing the nuclear risk posed by North Korea.”

The researchers noticed Kimsuky sending an HTML-formatted spear phishing message which requests them to evaluate a draft evaluation of the nuclear risk posed by North Korea. The e-mail is crafted to stimulate a subsequent dialog with the recipient, it impersonates NK Information management and lacks any malicious artifacts.

Upon partaking the goal within the dialog, the APT group finally follows up with an e-mail that incorporates an URL to a Google doc.

In case the recipient isn’t responsive, the nation-state actors comply with up with a reminder e-mail in an try to have interaction the goal in dialog.

The attackers spoofed the URL’s vacation spot by setting the href HTML property to direct to a web site beneath the management of the attackers.

The displayed URL factors to a doc hosted on Google Docs, delving into the subject of the North Korean nuclear risk. The article incorporates seen edits to offer the impression of a real draft article.

The spoofed vacation spot of the URL redirects the sufferer to a Kimsuky’s web site that masquerades as a reliable Google Docs website for requesting doc entry, similar to


The URL features a Base-64 encoded phase that’s the worth of the menu URL question parameter, which resolves to the sufferer’s e-mail deal with.

The e-mail deal with is displayed within the faux login web page to trick the customer into considering that’s is a reliable web page of entry request.


The researchers additionally noticed risk actors distributing password-protected weaponized Workplace paperwork throughout conversations with the victims. The archive was used to deploy the ReconShark reconnaissance software.

“SentinelLabs stays actively engaged in monitoring the actions performed by Kimsuky. The findings introduced on this submit spotlight the group’s persistent dedication to focused social engineering assaults and underscore the necessity for elevated consciousness and understanding of Kimsuky’s techniques amongst potential targets.” concludes the report. “Sustaining vigilance and implementing efficient safety measures are crucial to mitigate the dangers posed by this persistent risk actor.”

Comply with me on Twitter: @securityaffairs and Fb and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)