216.73.216.86

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

· Published 24/11/2025 11:59 · Modified 21/12/2025 18:00

Export JSON

Essential information

Published
24/11/2025 11:59
Modified
21/12/2025 18:00
Tags
2025-11-24 babyshark browser credentials credential-theft data exfiltration keylogging kimjongrat north korea pe executable phishing powershell spear-phishing
Related entities
9 observables, 1 intrusion sets (apt), 21 techniques (mitre), 2 malware, 6 others

Description

This analysis examines the latest attack flow of the variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and -based attack chains, which have been merged into a single workflow. The attackers use emails for initial access, leveraging GitHub and Google Drive for malware distribution. The malware exfiltrates sensitive data including , system information, and keystrokes. Additional activities by the same actor include credential theft through sites and campaigns targeting South Korean users. The analysis provides evidence supporting the attribution to Kimsuky and highlights the ongoing development of variants and infrastructure, indicating successful attacks.

External references