Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home panic

APT43 – Kimsuky, Thallium – North Korea

May 30, 2023
Reading Time: 3 mins read
in APT
APT43 – Kimsuky, Thallium – North Korea
Names APT43, Kimsuky, Thallium
Location North Korea
Date of initial activity 2018
Suspected attribution State-sponsored, Reconnaissance General Bureau (RGB)
Motivation Credential harvesting, Espionage
Associated tools VINETHORN, PINEFLOWER, TABBYCAT, VBREVSHELL, TAMECAT, POWERPOST, BROKEYOLK, CHAIRSMACK, GHAMBAR, MAGICDROP, DOSTEALER, SILENTUPLOADER

Overview

APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.

In addition to its espionage campaigns, Mandiant believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.

Common targets

Targeting is regionally focused on South Korea and the U.S., as well as Japan and Europe, especially in the following sectors: government, education/research/think tanks focused on geopolitical and nuclear policy, business services, manufacturing.

Attack Vectors

Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations. Their most frequently observed operations are spear-phishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics. Domains masquerading as legitimate sites are used in credential harvesting operations.

How they work

APT43 most commonly leverages tailored spear-phishing emails to gain access to victim information. However the group also engages in various other activities to support collecting strategic intelligence, including using spoofed websites for credential harvesting and carrying out cybercrime to fund itself. The actors regularly update lure content and tailor it to the specific target audience, particularly around nuclear security and non-proliferation.

APT43 is adept at creating convincing personas, including masquerading as key individuals within their target area (such as security and defense), as well as leveraging stolen personally identifiable information (PII) to create accounts and register domains.

APT43 uses highly relevant lure content together with spoofed email addresses. APT43 also leverages contact lists stolen from compromised individuals to identify additional targets for spear-phishing operations.

APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, reducing fiscal strain on the central government.

References:
  • https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
 
Tags: Advanced Persistent ThreatAPTAPT43AttackersespionagekimsukyNorth KoreaSocial EngineeringThallium
ADVERTISEMENT

Related Posts

APT-C-60 (APT) – Threat Actor

APT-C-60 (APT) – Threat Actor

February 16, 2025
COLDRIVER (APT) – Threat Actor

COLDRIVER (APT) – Threat Actor

February 13, 2025
UTG-Q-010 (APT) – Threat Actor

UTG-Q-010 (APT) – Threat Actor

February 12, 2025
Actor240524 (APT) – Threat Actor

Actor240524 (APT) – Threat Actor

February 10, 2025
T-APT-04 (SideWinder) – Threat Actor

T-APT-04 (SideWinder) – Threat Actor

January 30, 2025
Evasive Panda (APT) – Threat Actor

Evasive Panda (APT) – Threat Actor

January 30, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial