APT43 is a cyber threat actor attributed to the Democratic People's Republic of Korea (DPRK), publicly profiled by Mandiant in a March 2023 report that elevated the cluster to "APT" (Advanced Persistent Threat) status. The group is also tracked under overlapping names including Kimsuky, Thallium, Black Banshee, Velvet Chollima, and Emerald Sleet by other vendors such as Microsoft, CrowdStrike, and Kaspersky.
The group is assessed to support the intelligence collection priorities of North Korea's Reconnaissance General Bureau (RGB). Its targeting focuses heavily on:
- Foreign policy and nuclear security analysts, particularly those working on Korean Peninsula issues in the United States, South Korea, Japan, and Europe.
- Academic institutions, think tanks, and journalists covering DPRK affairs.
- Government and defense entities in South Korea and allied states.
- During the COVID-19 period, health-sector and pharmaceutical organizations.
APT43's tradecraft relies less on zero-day exploits than on sustained social engineering. Operators routinely impersonate journalists, academics, and NGO staff, building rapport over email before delivering credential-harvesting pages or malware such as BabyShark, gh0st RAT variants, and custom downloaders. The group maintains extensive spoofed-domain infrastructure mimicking webmail providers and university login portals.
A distinctive feature highlighted by Mandiant is APT43's self-funding model: the group is believed to steal and launder cryptocurrency — using hash-rental services and cloud mining — to purchase operational infrastructure, blurring the conventional line between espionage and financially motivated activity typically associated with the Lazarus cluster.
For policy researchers and MUN delegates, APT43 illustrates how sanctioned states use cyber operations both to collect intelligence on diplomatic counterparts and to evade financial restrictions imposed under UN Security Council resolutions on the DPRK. The group is frequently cited in discussions of attribution norms, the UN Group of Governmental Experts (GGE) process, and sanctions enforcement.
Example
In March 2023, Mandiant published a detailed profile of APT43, linking the group to spear-phishing campaigns against U.S. and South Korean think tanks researching North Korean denuclearization policy.
Frequently asked questions
Mandiant's APT43 cluster overlaps substantially with the activity other vendors track as Kimsuky, Thallium, and Emerald Sleet, though naming conventions and exact technical scoping differ between firms.
Keep learning