Kimsuky Analysis
IOB - Indicator of Behavior (648)
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Activities
Interest
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Vulnerabilities
Campaigns (2)
These are the campaigns that can be associated with the actor:
- AppleSeed
- Xxxxxxxxxx
IOC - Indicator of Compromise (41)
These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.
TTP - Tactics, Techniques, Procedures (21)
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
IOA - Indicator of Attack (229)
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
ID | Class | Indicator | Type | Confidence |
---|---|---|---|---|
1 | File | /.env | predictive | Low |
2 | File | /?/admin/snippet/add | predictive | High |
3 | File | /assets/something/services/AppModule.class | predictive | High |
4 | File | /bin/false | predictive | Medium |
5 | File | /cgi-bin/luci/api/wireless | predictive | High |
6 | File | /cgi-bin/webproc | predictive | High |
7 | File | /editsettings | predictive | High |
8 | File | /expert_wizard.php | predictive | High |
9 | File | /forum/away.php | predictive | High |
10 | File | /images/browserslide.jpg | predictive | High |
11 | File | /includes/lib/get.php | predictive | High |
12 | File | /login | predictive | Low |
13 | File | /main?cmd=invalid_browser | predictive | High |
14 | File | /manager?action=getlogcat | predictive | High |
15 | File | /mc | predictive | Low |
16 | File | /plugins/Dashboard/Controller.php | predictive | High |
17 | File | /public/plugins/ | predictive | High |
18 | File | /rest/jpo/1.0/hierarchyConfiguration | predictive | High |
19 | File | /SASWebReportStudio/logonAndRender.do | predictive | High |
20 | File | /scas/admin/ | predictive | Medium |
21 | File | /static/ueditor/php/controller.php | predictive | High |
22 | File | /tlogin.cgi | predictive | Medium |
23 | File | /tmp/scfgdndf | predictive | High |
24 | File | /uncpath/ | predictive | Medium |
25 | File | /upload | predictive | Low |
26 | File | /usr/ucb/mail | predictive | High |
27 | File | /xxxxxx/xxxxxxxxxxxxx/xxxxxxxxxx-xxxxxxxx/xxxxx/xxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxx/xxx/xxxxxxxxxxx.xxx | predictive | High |
28 | File | xxxxxxx.xxx | predictive | Medium |
29 | File | xxxxxxx.xxx | predictive | Medium |
30 | File | xxx/xxxxxxxxxx_xxxx_xxxxxx.xxx | predictive | High |
31 | File | xxxxx.xxx | predictive | Medium |
32 | File | xxxxx/xxxxx.xxx?xxxxxx=xxx_xxxx | predictive | High |
33 | File | xxxx/xxxxxx/xxxxxx_xxx | predictive | High |
34 | File | xxxxxxxxxxxxxxx.xxxx | predictive | High |
35 | File | xxxxxxx/xxxxxx/xxxxxxxxxxxxx.xxxx | predictive | High |
36 | File | xxx.xxx/xxx/xxxxxx | predictive | High |
37 | File | xxx/xxxxxxxx/xxxxxx | predictive | High |
38 | File | xxxxxx/xxxxxxxx.xxxx | predictive | High |
39 | File | xxxx/xxxxxxxxxxxx.xxx | predictive | High |
40 | File | xxxx.x | predictive | Low |
41 | File | xxx.xxx | predictive | Low |
42 | File | xxxxx/xxxxxxx.xxx | predictive | High |
43 | File | xxxxxx/xxx.x | predictive | Medium |
44 | File | xxxxxx/xxxx.x | predictive | High |
45 | File | xxxx.x | predictive | Low |
46 | File | xxxx/xxxxxxxxxxxxxxx.xxx | predictive | High |
47 | File | xxxx/xxxxxxxx/xxxxxxxx.xxx | predictive | High |
48 | File | xxxx_xxxxx.xxx | predictive | High |
49 | File | xxxx_xxxxxxx.xxx | predictive | High |
50 | File | xxxxxxxx_xxxx.xxx | predictive | High |
51 | File | xxxxx.xxx | predictive | Medium |
52 | File | xxxx.xxxx | predictive | Medium |
53 | File | xxxxx.xxx | predictive | Medium |
54 | File | xxxx_xxxxxxxx.xxx | predictive | High |
55 | File | xxxx_xxxxxxxx_xxxxxxxxx.x | predictive | High |
56 | File | xxxxxx.xxx | predictive | Medium |
57 | File | xxxx/xxxxxxxxxxxxxxxx | predictive | High |
58 | File | xxxxx/xxxx.xxx | predictive | High |
59 | File | xx/xx_xxxxx.x | predictive | High |
60 | File | xxxxxxxxx.xxx.xxx | predictive | High |
61 | File | xxxxxxx.xxx | predictive | Medium |
62 | File | xxxxxxx.xxx | predictive | Medium |
63 | File | xxxxxxxxxxxxxxxxx.xxxx | predictive | High |
64 | File | xxx.xxx | predictive | Low |
65 | File | xxxxxxxxx.xxxx | predictive | High |
66 | File | xxxx.xxx | predictive | Medium |
67 | File | xxxxx_xxxx.xxx | predictive | High |
68 | File | xxxx.x | predictive | Low |
69 | File | xxxx_xxxx.x | predictive | Medium |
70 | File | xx/xxx/xxx-xxxx.x | predictive | High |
71 | File | xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxx | predictive | High |
72 | File | xxx/xxxxxx.xxx | predictive | High |
73 | File | xxx/xxxxxxxxxxx/xxxxxxx.xxx | predictive | High |
74 | File | xxxxxxx/xxxxxxx.xxx | predictive | High |
75 | File | xxxxx.xxx | predictive | Medium |
76 | File | xxxxxxxxx.xxx | predictive | High |
77 | File | xxxxxxx-xxxxxxxxx>/xxxxxxxxxx/xxx-xxx | predictive | High |
78 | File | xxxxxxxxxxxxx.xxx | predictive | High |
79 | File | xxx/xxx_xxxxxxxxxx.x | predictive | High |
80 | File | xxxxxx.x | predictive | Medium |
81 | File | xxxxxx/xxx/xxxxxxxx.x | predictive | High |
82 | File | xxxxxx/xxxxxx.x | predictive | High |
83 | File | xxxxxx/xxxxx.x | predictive | High |
84 | File | xxxxxxx.xx.x | predictive | Medium |
85 | File | xxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxx | predictive | High |
86 | File | xxxxxxxxx/xxxxxx.xxx.xxx | predictive | High |
87 | File | xxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxx | predictive | High |
88 | File | xxxxx.xxx | predictive | Medium |
89 | File | xxxxx.xxx | predictive | Medium |
90 | File | xxxx.xxx | predictive | Medium |
91 | File | xxxx.xxxxxx.xx | predictive | High |
92 | File | xxxxxxxx.xxx | predictive | Medium |
93 | File | xxxxxx.xxx | predictive | Medium |
94 | File | xxxxxxx/xxxxxxx/xxx/xxxxxxxxxx.xxx?xxxxxxxx=xxxx&xxxxxx=xxxxxxxxxx | predictive | High |
95 | File | xxxx/xxxxxx.xxx | predictive | High |
96 | File | xxxx/xxxxxx.xxx | predictive | High |
97 | File | xxxxxxxx.xxx | predictive | Medium |
98 | File | xxxxxxx_xxxxxx.xxx | predictive | High |
99 | File | xxxxx_xxxx.x | predictive | Medium |
100 | File | xxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][] | predictive | High |
101 | File | xxxxx.xxx | predictive | Medium |
102 | File | xxxxxxxxxx.xxx | predictive | High |
103 | File | xxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxx | predictive | High |
104 | File | xxxxxxx/xxxxxxxxxx.xxx | predictive | High |
105 | File | xxxxxxxxxx.xxxx.xxx | predictive | High |
106 | File | xxxxxxx/xxxxxxxxxx.xxx | predictive | High |
107 | File | xxxxxx_xxx_xxxxxx.xxx | predictive | High |
108 | File | xxxxx.xxx | predictive | Medium |
109 | File | xxxx-xxxxxx.x | predictive | High |
110 | File | xxxxxxx.xxx | predictive | Medium |
111 | File | xxxxxxxx/xxxxx/xxxxxxx.xxxx?xxxxxxxxxx=xxxxxxxxxxxxxxxx/xxxx | predictive | High |
112 | File | xxx/xxxx/xxxx/xxx.xxxxxxxx.xxxxxxx/xxxxxxx/xxx/xxxxxx.xxxx | predictive | High |
113 | File | xxxxxx\xxxxxxxx\xx_xxxxx_xxxxxxx.xxx | predictive | High |
114 | File | xxx/xxx.xx | predictive | Medium |
115 | File | xxx_xxxxxx.xxx | predictive | High |
116 | File | xxxxxxxxxxxxxxxxxxxx.xxx | predictive | High |
117 | File | xxxx-xxxxxxxx.xxx | predictive | High |
118 | File | xxxxx | predictive | Low |
119 | File | xxxxxx.xxx | predictive | Medium |
120 | File | xxxxxxx/xxxxxxx/xxxxxx/xxxxxx_xxxxxx_xxxx.xxx | predictive | High |
121 | File | xxx.xxx | predictive | Low |
122 | File | xxxx-xxxxxxx-xxxxxx.xxx | predictive | High |
123 | File | xxx.xxx | predictive | Low |
124 | File | xx-xxxxx-xxxxxx.xxx | predictive | High |
125 | File | xx-xxxxxxxx/xxxxx-xx-xxxxx.xxx | predictive | High |
126 | File | xx-xxxxxxxx/xxxx.xxx | predictive | High |
127 | File | xx-xxxxx.xxx | predictive | Medium |
128 | File | _xx_xxxxx | predictive | Medium |
129 | File | _x_/xxxx/_x_/xxx/xxxxxx_xxxxxxxxxxxxx | predictive | High |
130 | Library | /xxx/xxx/xxxx.xxx | predictive | High |
131 | Library | /xxx/xxx/xxx/xxxx/xxxxxxxxxx/xxxxx/xxxxxxxxxx.xxx | predictive | High |
132 | Library | xxxxxxxxxxxxxxxxx.xxx | predictive | High |
133 | Library | xxxxxxxxx.xxx | predictive | High |
134 | Library | xxxxxxxxxxx.xxx | predictive | High |
135 | Library | xxxxxx.xxx | predictive | Medium |
136 | Library | xxxxxxxx.xxx | predictive | Medium |
137 | Library | xxxxxxx.xxx | predictive | Medium |
138 | Library | xxx/xxxxxxxxx.xxx | predictive | High |
139 | Library | xxxxxx | predictive | Low |
140 | Library | xxxxxxx/xxxx/xxxxxxx/xxx/xxxxxxx.xxx | predictive | High |
141 | Library | xxxxxxxx.xxx | predictive | Medium |
142 | Library | xxxxxx.xxx.xxxxxx.xxx | predictive | High |
143 | Library | xxxxxx.xxx | predictive | Medium |
144 | Library | xxxxxxxxxxxxx.xxx | predictive | High |
145 | Library | xxxxxxx.xxx.xx.xxx | predictive | High |
146 | Library | xxxxxx.xxxxxxx('xxxxx_xxxx:/xxx/xxxxxx') | predictive | High |
147 | Argument | xxxx | predictive | Low |
148 | Argument | xxx_xxx | predictive | Low |
149 | Argument | xxxx_xx | predictive | Low |
150 | Argument | xxxxxxxxxxxxx | predictive | High |
151 | Argument | xxxxxxxx | predictive | Medium |
152 | Argument | xxxxx_xxxx | predictive | Medium |
153 | Argument | xxxx | predictive | Low |
154 | Argument | xxxxx | predictive | Low |
155 | Argument | xxx_xx | predictive | Low |
156 | Argument | xxxxxxx | predictive | Low |
157 | Argument | xxxxxxx | predictive | Low |
158 | Argument | xxxxxxx_xxx/xxxxx | predictive | High |
159 | Argument | xxxxxxxxxxxxxx | predictive | High |
160 | Argument | xxxxxx/xxxxxxx | predictive | High |
161 | Argument | xxxxxxxxxxxxxxx | predictive | High |
162 | Argument | xxxx_xxxxxx_xxxxxxxxx | predictive | High |
163 | Argument | xxxxx | predictive | Low |
164 | Argument | xx_xxxxx_xx | predictive | Medium |
165 | Argument | xxxxx | predictive | Low |
166 | Argument | xxxxxxx xxxx | predictive | Medium |
167 | Argument | xxxx | predictive | Low |
168 | Argument | xxxxxxxx | predictive | Medium |
169 | Argument | xxxx xxxx | predictive | Medium |
170 | Argument | xxxxxxx | predictive | Low |
171 | Argument | xx_x~xx | predictive | Low |
172 | Argument | xxxx | predictive | Low |
173 | Argument | xxxx | predictive | Low |
174 | Argument | xxxxxxxx | predictive | Medium |
175 | Argument | xxxx_xxxxx | predictive | Medium |
176 | Argument | xx | predictive | Low |
177 | Argument | xxxxx | predictive | Low |
178 | Argument | xxxxxx | predictive | Low |
179 | Argument | xxxx | predictive | Low |
180 | Argument | xxx | predictive | Low |
181 | Argument | xxxx | predictive | Low |
182 | Argument | xxxxx_xxxxx_xx | predictive | High |
183 | Argument | xxxxxxxxx_xxxxxxxx_xxxx | predictive | High |
184 | Argument | xxxxx | predictive | Low |
185 | Argument | xxxxxxx | predictive | Low |
186 | Argument | xxxxx | predictive | Low |
187 | Argument | xxxxx_xxxx | predictive | Medium |
188 | Argument | xxxx | predictive | Low |
189 | Argument | xxxxxxxx | predictive | Medium |
190 | Argument | xxxxxxxx | predictive | Medium |
191 | Argument | xxx | predictive | Low |
192 | Argument | xxxxxxx | predictive | Low |
193 | Argument | xxxx_xxxxx | predictive | Medium |
194 | Argument | xxxxxx_xxxxxx_xxxx | predictive | High |
195 | Argument | xxxxxxxx | predictive | Medium |
196 | Argument | xxxxxxxx | predictive | Medium |
197 | Argument | xxxx_xxxx_xxxx | predictive | High |
198 | Argument | xxxxxx_xxxxxxx_xxxxxxxxx_xxxx/xxxxxx_xxxxxxx_xxxxxxx_xxxx | predictive | High |
199 | Argument | xxxx | predictive | Low |
200 | Argument | xxxxxxxxxx | predictive | Medium |
201 | Argument | xxxx | predictive | Low |
202 | Argument | xxxx_xxxxx | predictive | Medium |
203 | Argument | xxx | predictive | Low |
204 | Argument | xxxx_xx | predictive | Low |
205 | Argument | xxx_xxxxx | predictive | Medium |
206 | Argument | xxxxxxxx | predictive | Medium |
207 | Argument | xxxxxxxxx | predictive | Medium |
208 | Argument | xxxxxxxxxxxx/xxxxxxxxxxxxxxxx | predictive | High |
209 | Argument | xxxxxx | predictive | Low |
210 | Argument | xxxxxxxx | predictive | Medium |
211 | Argument | xxxxxxxxxx | predictive | Medium |
212 | Argument | xxxx | predictive | Low |
213 | Argument | xxxxxxxx | predictive | Medium |
214 | Argument | xxx | predictive | Low |
215 | Argument | xxx | predictive | Low |
216 | Argument | xxx_xxx_xxxxxxxx | predictive | High |
217 | Argument | xx | predictive | Low |
218 | Argument | xxxxxxxxxxxx[xxxx] | predictive | High |
219 | Argument | xxxxx | predictive | Low |
220 | Argument | xxxx->xxxxxxx | predictive | High |
221 | Argument | x-xxxx-xxxxx | predictive | Medium |
222 | Argument | _x_xxxxxxxxxx | predictive | High |
223 | Argument | _xxxxxxx | predictive | Medium |
224 | Input Value | %xx%xx%xxxxx%xxxxx=x%xxxxxxxxx=xxxxx(x)%xx | predictive | High |
225 | Input Value | .. | predictive | Low |
226 | Input Value | /%xx | predictive | Low |
227 | Input Value | x' | predictive | Low |
228 | Network Port | xxxx | predictive | Low |
229 | Network Port | xxx/xxx (xxxx) | predictive | High |
References (11)
The following list contains external sources which discuss the actor and the associated activities:
- https://asec.ahnlab.com/en/30532/
- https://blog.alyac.co.kr/2234
- https://blog.alyac.co.kr/4892
- https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
- https://community.blueliv.com/#!/s/5fa1234a82df413ea9349a07
- https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf
- https://github.com/blackorbird/APT_REPORT/tree/master/kimsuky
- https://github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case
- https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/Kimsuky
- https://twitter.com/shadowchasing1/status/1500778382966939653
- https://twitter.com/souiten/status/1473862308132651011