Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Inside the Kimsuky APT Leak: Stolen GPKI Certificates, Rootkits, and a Personalized Cobalt Strike from North Korea’s Cyber Unit
Posted on: 24 Aug 2025 | Author: Foresiet
Introduction
In a rare and unprecedented incident, a massive operational dump belonging to the North Korean Kimsuky APT group was leaked on a dark web forum. The leak containing virtual machine images, VPS dumps, phishing kits, rootkits, and thousands of credentials offers an unparalleled look into the inner workings of one of Pyongyang’s most prolific cyber espionage groups.

Unlike traditional reporting that relies on network indicators, malware samples, or isolated phishing campaigns, this leak provides a direct view of the adversary’s toolkit, infrastructure, and day-to-day operations.

For defenders, researchers, and policymakers, the data represents a treasure trove of intelligence into how Kimsuky maintains persistence, builds malware, and leverages stolen access across sectors ranging from government and telecommunications to defense and academia.
Who is Kimsuky?
Kimsuky, also tracked under aliases such as APT43, Thallium, and Velvet Chollima, has long been attributed to North Korean state-sponsored activity. The group has been active since at least 2012 and is known for:
- Targeting South Korea, the U.S., Japan, and Europe for espionage.
- Conducting phishing campaigns against diplomats, think tanks, and security researchers.
- Using both custom malware and open-source frameworks (like Cobalt Strike) for intrusions.
- Supporting broader DPRK cyber objectives, including military intelligence collection and sanctions evasion.
The newly leaked dataset sheds light not just on their campaigns, but on their operational backbone.
What Was Leaked?
The first leak appears to originate from KIM’s personal guest virtual machine, while the second comes from his public-facing VPS infrastructure. Both data sets were captured around June 10, 2025, and together they provide an unusually deep look into the operator’s daily workflow.

The VM dump includes a screenshot of the attacker’s desktop (kim_desktop.jpg), showing his environment running on Deepin Linux 20.9. Interestingly, the VM had HGFS integration
enabled, which allowed access to the host machine’s C:\ drive — all of which was preserved in the leaked archive. A structured list of these files is stored in ./file-lists.
Within the dump, researchers found nearly 20,000 records of Brave and Chrome browser history, which not only reveal the attacker’s browsing patterns but also expose numerous email addresses he interacted with (examples include jeder97271@wuzak.com, xocaw75424@weiby.com, and many more). The browser was heavily customized with extensions for user-agent spoofing, proxy management (SwitchyOmega), and cookie manipulation, among others — clear signs of operational tradecraft.
One particularly telling document, ko图文编译.doc, turned out to be a user manual for a custom backdoor. It even carried an internal disclaimer in Chinese, warning: “It is forbidden to use the backdoor for other purposes.”

Perhaps the most sensitive discovery was in mnt/hgfs/Desktop/fish_25327/vps20240103.docx, which contained a large cache of credentials. Among them were active logins for mailboxes and VPS accounts, such as:
- root : 1qaz2wsx
- dysoni91@tutamail.com : !QAZ4rfv!@#$
- https://sg24.vps.bz:4083/center2025a@tutamail.com : H4FHKMWMpX8bZ
- https://monovm.com/dysoni91@tutamail.com : dr567h%a”G6*m
Analysis of fish-url.txt and generator.php further revealed the attacker’s habit of recycling password patterns across multiple accounts — an operational weakness that investigators quickly picked up on.

As for the second dump, it relates to a server named vps1735811325, hosted by vps.bz, which was actively used in spear-phishing operations. This VPS contained not only relevant webshells and phishing kit components but also SSL certificates and detailed auth.log files, giving strong indicators of how KIM’s phishing campaigns were deployed and maintained.
Malware and Exploits
The leak exposed several custom and repurposed implants:
- Tomcat Kernel Rootkit — a Linux loadable kernel module (LKM) backdoor with features such as TCP knocking, SSL reverse shell, and root-level persistence.
- Cobalt Strike Personal Beacon — a cracked version with custom C2 profiles.
- Ivanti “RootRot” Implant — a sophisticated backdoor previously mistaken as a vulnerability, capable of surviving patch cycles.
- Bushfire Exploit Kit — weaponization of recent Ivanti CVEs (2025), with overlaps to Chinese threat actor UNC5221, suggesting code-sharing or collaboration.
- SpawnChimera Backdoor — stealthy client implant communicating via TLS Client Hello packets to mask C2 traffic.
Phishing Infrastructure
- Phishing generator kit capable of spoofing South Korean Ministry of Defense (dcc.mil.kr) and other government portals.
- The kit actively avoided automated crawlers from Google and Trend Micro, showing deliberate OPSEC to reduce early detection.
Mobile Capabilities
Evidence of a forked Android tool (“ToyBox”), modified for espionage — details still under analysis.
Military Counterintelligence Command (dcc.mil.kr)
One of the more alarming findings from the Kimsuky data leak is related to South Korea’s Defense Counterintelligence Command (DCC) the military’s own counterintelligence organization tasked with covert operations and safeguarding national security. Evidence from the compromised VPS environment revealed phishing activity specifically targeting the domain dcc.mil.kr. Logs indicate that only three days prior to the dump, there was an active phishing attempt against the DCC.
The DCC is not the only high-profile entity exposed in these logs. Other South Korean institutions, including the Supreme Prosecutor’s Office (spo.go.kr), korea.kr, as well as major internet providers and communication platforms such as daum.net, kakao.com, and naver.com, also appear in the records. Of particular note, the Admin-C contact for dcc.mil.kr is tied to the email address hyuny1982@naver.com, suggesting that adversaries may have pivoted toward leveraging personal accounts linked to official infrastructure.
Extracts from the log files include credentials and encoded data tied to internal DCC emails, further reinforcing the scale of exposure:

This level of compromise highlights that Kimsuky was not merely conducting generic cyber-espionage but was actively infiltrating critical national defense infrastructure.
Breach of the South Korean Foreign Ministry’s Email Platform
Equally concerning is the discovery of a compressed archive labeled mofa.go.kr.7z, which contained what appears to be a full copy of the South Korean Foreign Ministry’s email system source code. Judging by timestamps and repository structures, the data looks like it was exfiltrated from a GitHub repository or internal development environment as recently as April 2025.
Directory listings within the archive show multiple modules related to mail processing, administration, and web access:

Even more troubling are the hardcoded references within the codebase to official government email servers and authentication endpoints:

This implies that Kimsuky not only exfiltrated critical government source code but potentially had access to live mail systems used for diplomatic communications. With such access, attackers could realistically craft perfectly spoofed phishing lures, intercept communications, or implant backdoors into the Foreign Ministry’s communication channels.
Phishing Factories: Industrialized Operations
The VPS contained phishing kits designed to impersonate South Korean government portals, such as dcc.mil.kr. Scripts like generator.php automated phishing page creation, while config.php maintained blacklists of IP ranges belonging to Google, Trend Micro, and other security companies to evade takedowns.
Captured logs showed campaigns against Prosecutor’s Office (spo.go.kr), korea.kr, Daum, Kakao, and Naver. Operators even reused credentials from past campaigns to fuel new waves of attacks, showing a cycle of continuous exploitation.
Domains like websecuritynotices.com and nid-security.com were weaponized with subdomains mimicking Microsoft and Naver services, further blurring the line between legitimate and fake services.
SpawnChimera and The Hankyoreh newspaper
The leak revealed a backdoor client named SpawnChimera hidden in a folder tied to IP 203.234.192.200, which belongs to hani.co.kr — the infrastructure of The Hankyoreh, a liberal South Korean newspaper.

This backdoor didn’t use normal C2 channels. Instead, it relied on port knocking inside the TLS Client Hello message:
- The first 4 bytes had to be a CRC32 checksum of the rest of the 28-byte random field.
- Only then would the server respond and grant access.
That means Kimsuky hijacked or abused media infrastructure for covert C2, blending into encrypted HTTPS traffic and making detection nearly impossible.
Cobalt Strike Personal
Cobalt Strike is a common red-teaming tool, but Kimsuky wasn’t just using off-the-shelf builds. They had their own custom Beacon source code, last updated in June 2024, stored under /beacon.
Config analysis revealed:
- BeaconType: HTTP
- Port: 8172
- C2Server: 168.179.112,/dot.gif
- UserAgent: spoofed IE9 string
- HttpPostUri: /submit.php
It also had a hardcoded watermark and partial integration with their Linux kernel rootkit (hkcap.c) — showing they were actively merging Cobalt Strike with their own implants.
This was not a borrowed cracked copy, but a personalized CS build fine-tuned for stealth and persistence.
Ivanti Exploits (CVE-2025-0282, CVE-2025-0283, CVE-2025-22457)
The dump contained exp1_admin.py and ivanti-new-exp-20241220.zip, which were working exploits against Ivanti Connect Secure appliances.
- These exploits installed a backdoor (“Bushfire”) after initial access.
- The code overlapped with techniques seen in Chinese group UNC5221, suggesting tool-sharing between North Korean and Chinese operators.
- Weak crypto (XOR with a 31-bit key) and low entropy magic values made the backdoor easy to detect — but it was stealthy enough for real-world ops.
This ties Kimsuky directly to the global Ivanti exploitation wave and shows DPRK wasn’t just a bystander but an active participant.
Stolen GPKI Certificates
One of the most dangerous discoveries: thousands of South Korean GPKI certificates and keys were found on KIM’s machine.
- GPKI (Government Public Key Infrastructure) allows officials to digitally sign government documents and authenticate to secure portals.
- Kimsuky not only stole them but wrote a Java cracking tool (java) to brute-force the passwords protecting these keys.
- Examples from the dump:
- 136박정욱key → Password: $cys13640229
- 041????001_env.key → Password: !jinhee1650!
With these, Kimsuky could impersonate real South Korean officials, sign fraudulent documents, and potentially infiltrate government systems without raising suspicion.
Daily Life of “KIM”: OPSEC Failures and Human Habits
The most fascinating insights came not from malware, but from the habits of the operator himself.
- Work schedule: Consistent logins between 09:00 and 17:00 Pyongyang time, mirroring an office routine.
- Desktop artifacts: Screenshots, drag-and-drop caches, and Chrome configs revealed transfers of Cobalt Strike loaders, PowerShell scripts, and even stolen IDA Pro licenses.
- Browser history: 20,000+ entries showed frequent visits to GitHub, Freebuf, Xakep.ru, Taiwanese government sites, and searches on chacha20 and arc4 cryptography.
- Language use: Despite being a North Korean actor, KIM frequently used Google Translate to convert Korean into Simplified Chinese, suggesting either limited Korean literacy or collaboration with Chinese counterparts.
Such human details highlight that even highly trained operators make operational security mistakes, leaving digital breadcrumbs that expose state-level campaigns.
Strategic Implications
This unprecedented leak reveals much about how Kimsuky and, by extension, DPRK cyber operations function:
- Credential-centric operations: Password hoarding and GPKI certificate theft remain central to persistence and privilege escalation.
- Cross-border tool exchange: Overlaps with Chinese groups indicate at least a degree of collaboration or shared tooling.
- Industrial phishing: Kits, blacklists, and automation show phishing is run like a factory, not a hobby.
- OPSEC weaknesses: Despite state backing, Kimsuky operators exhibit human flaws — poor password practices, sloppy domain use, reliance on Google Translate.
Conclusion
The dark web leak of Kimsuky infrastructure is one of the most valuable windows into a state-sponsored threat group in recent memory. By compromising not just their victims but their own machines, researchers gained an inside-out view of how Pyongyang’s hackers operate, from credential hoarding and malware development to phishing campaigns and daily workflows.
It underscores a sobering truth: while Kimsuky is highly capable and deeply entrenched in South Korean networks, they are still fallible humans whose mistakes can be turned into intelligence. For defenders, this leak provides years’ worth of insight into tools, tactics, and procedures a rare chance to understand not just what Kimsuky does, but how it works behind the curtain.
References
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.