Kimsuky
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 27 reports, 144 attack patterns (mitre), 33 malware, 8 sectors, 8 countries, 100 indicators, 4 vulnerabilities (cve), 3 tool
Aliases
Black Banshee Velvet Chollima Emerald Sleet THALLIUM TA427 APT43 Springtail
Description
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella rather than tracking separate subgroup or cluster distinctions.
[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)
In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- AhnLab Kimsuky Kabar Cobra Feb 2019
- Malwarebytes Kimsuky June 2021
- ThreatConnect Kimsuky September 2020
- Cloudflare 2026 Threat Report New Threat Actors March 2026
- Cybereason Kimsuky November 2020
- Securelist Kimsuky Sept 2013
- EST Kimsuky April 2019
- Microsoft Threat Actor Naming July 2023
- Netscout Stolen Pencil Dec 2018
- Mandiant APT43 March 2024
- CISA AA20-301A Kimsuky
- Rapid7 Threat Landscape Actors March 2026
- MSFT-AI
- Zdnet Kimsuky Dec 2018
- Proofpoint TA427 April 2024
- mitre-attack (G0094)
- Symantec Troll Stealer 2024
- EST Kimsuky SmokeScreen April 2019