{
  "name": "Analysis of the Triple Combo Threat of the Kimsuky Group",
  "slug": "analysis-of-the-triple-combo-threat-of-the-kimsuky-group",
  "description": "The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.",
  "published": "2025-06-11T20:07:05+00:00",
  "created_at": "2025-06-11T20:07:05+00:00",
  "modified_at": "2025-06-11T20:18:47+00:00",
  "created_at_opencti": "2025-06-11T20:07:05+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-11",
    "appleseed",
    "apt",
    "babyshark",
    "dll file",
    "execution",
    "facebook",
    "flowerpower",
    "golddragon",
    "kimsuky",
    "kimsuky group",
    "linkedin",
    "powershell",
    "shell",
    "telegram",
    "username",
    "vmprotect"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "woana.n-e.kr"
      },
      {
        "id": "",
        "name": "vamboo.n-e.kr"
      },
      {
        "id": "",
        "name": "update.screawear.ga"
      },
      {
        "id": "",
        "name": "onsungtong.n-e.kr"
      },
      {
        "id": "",
        "name": "peras1.n-e.kr"
      },
      {
        "id": "",
        "name": "nomera.n-e.kr"
      },
      {
        "id": "",
        "name": "nocamoto.o-r.kr"
      },
      {
        "id": "",
        "name": "nauji.n-e.kr"
      },
      {
        "id": "",
        "name": "hyper.cadorg.p-e.kr"
      },
      {
        "id": "",
        "name": "download.uberlingen.com"
      },
      {
        "id": "",
        "name": "afcafe.kro.kr"
      },
      {
        "id": "",
        "name": "c1958894129800843f627bc791ae046f9f4c5b26a4cb7bd7b6d684b110be690a"
      },
      {
        "id": "",
        "name": "3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
      },
      {
        "id": "",
        "name": "24a42a912c6ad98ab3910cb1e031edbdf9ed6f452371d5696006c9cf24319147"
      }
    ],
    "malware": [
      {
        "id": "993db1ff-9bb3-4b96-8139-825051d6043e",
        "name": "BabyShark",
        "slug": "babyshark"
      },
      {
        "id": "65703bbf-11e2-4254-8e6d-f2f1118da9af",
        "name": "Kimsuky",
        "slug": "kimsuky"
      }
    ],
    "intrusion_sets": [
      {
        "id": "294d962a-b24e-446b-8e2d-3706cb1316b3",
        "name": "Kimsuky",
        "slug": "kimsuky"
      }
    ],
    "attack_patterns": [
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Cryptocurrency"
      },
      {
        "id": "",
        "name": "Military"
      },
      {
        "id": "",
        "name": "Defense"
      }
    ]
  },
  "external_refs": []
}