Kimsuky (also tracked as Thallium, Velvet Chollima, Black Banshee, and APT43) is a cyber-espionage group widely attributed to North Korea's Reconnaissance General Bureau (RGB). It has been active since at least 2012, when Kaspersky published one of the earliest public reports describing its operations against South Korean think tanks.
The group's mission is primarily intelligence collection rather than disruption or revenue generation, though overlap with cryptocurrency theft activity has been reported. Typical targets include:
- Foreign-policy and national-security think tanks
- Academics and journalists covering the Korean peninsula
- Government agencies in South Korea, the United States, Japan, and Europe
- Nuclear-policy researchers and sanctions experts
- Defectors and human-rights NGOs
Kimsuky relies heavily on spear-phishing, credential harvesting through fake login portals (Google, Naver, Kakao, Daum), and social engineering in which operators pose as journalists, academics, or government officials to build rapport before delivering malicious attachments or links. Known tooling has included the BabyShark and AppleSeed malware families and various PowerShell-based loaders.
Several governments have publicly named the group. In 2020, the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and US Cyber Command issued joint alert AA20-301A describing Kimsuky's tradecraft. In 2023, the US Treasury's Office of Foreign Assets Control (OFAC) and South Korea announced coordinated sanctions related to North Korean cyber actors, and South Korea specifically sanctioned Kimsuky in June 2023. Microsoft has also taken civil action against infrastructure associated with the Thallium cluster, securing a court order in 2019 to seize domains used by the group.
For MUN and policy researchers, Kimsuky is a frequently cited case study in discussions of state-sponsored espionage, sanctions enforcement against the DPRK, and the application of norms of responsible state behavior in cyberspace under the UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) processes.
Example
In June 2023, South Korea's Ministry of Foreign Affairs announced sanctions against Kimsuky, citing its role in cyber-espionage operations supporting North Korea's weapons programs.
Frequently asked questions
Open-source reporting and government advisories attribute Kimsuky to North Korea's Reconnaissance General Bureau (RGB), the DPRK's primary foreign intelligence service.
Keep learning