Nation-state actors affiliated with North Korea [2] [5] [6], specifically the advanced persistent threat group known as Kimsuky [2] [5] [6], have been using spear-phishing attacks for over a decade to target various entities. This has raised concerns about cybersecurity and the evasion of international sanctions.


Kimsuky [1] [2] [3] [4] [5] [6], a North Korean-backed group [1] [3], has been active since 2013 [3]. Initially, they targeted South Korean research institutes and later a South Korean energy corporation in 2014 [3]. Over time, their operations expanded to other regions, including Russia, the United States [1], and European nations [1]. Their espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families [2] [4], such as shortcut-type malware in LNK file format [1], JavaScript [1] [3], and malicious documents [1] [2] [4] [5].

One notable backdoor used by Kimsuky is AppleSeed [2] [5], which has been in use since May 2019 [5]. It has since been updated with an Android version and a new variant called AlphaSeed [2] [5], written in Golang [2] [4] [5]. AlphaSeed uses the Golang library chromedp for communication with the command-and-control server [2] [5], while AppleSeed relies on HTTP or SMTP protocols [2]. Evidence suggests that Kimsuky has been using AlphaSeed since October 2022 [5], sometimes alongside AppleSeed on the same target system [5].

Kimsuky has also been observed using Meterpreter and VNC malware like TightVNC and TinyNuke to gain control over compromised systems [2] [4]. They have recently switched from RDP to Chrome Remote Desktop for better control [3]. Additionally, North Korean actors have been using fraudulent online personas on LinkedIn and GitHub to obtain remote employment and generate revenue for the regime [2].


These attacks highlight North Korea’s efforts to evade international sanctions and profit from cyber schemes [2] [4]. The US government recently sanctioned Kimsuky for gathering intelligence to support North Korea’s strategic objectives [5]. The activity has been attributed to Kimsuky by South Korea-based cybersecurity company AhnLab.

Kimsuky’s consistent focus on South Korean users [1], along with their global expansion [1], poses a continuous challenge to cybersecurity [1]. It is crucial for organizations and individuals to remain vigilant against spear-phishing attacks and to implement robust cybersecurity measures to mitigate the risks posed by Kimsuky and similar threat actors.