← Back to Actors
Kimsuky
KimsukyBlack BansheeVelvet ChollimaEmerald SleetTHALLIUMAPT43TA427SpringtailEarth KumihoPatheticSlug
[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national securi...
134
Techniques
109
Covered
25
Gaps
81%
Coverage
Coverage109/134
GAPS (25)
T1027.007Dynamic API ResolutionT1027.016Junk Code InsertionT1056.003Web Portal CaptureT1132.002Non-Standard EncodingT1480.002Mutual ExclusionT1560.003Archive via Custom MethodT1564.011Ignore Process InterruptsT1583.004ServerT1585Establish AccountsT1585.001Social Media AccountsT1585.002Email AccountsT1586.002Email AccountsT1588.003Code Signing CertificatesT1588.005ExploitsT1589.003Employee NamesT1591Gather Victim Org InformationT1593Search Open Websites/DomainsT1593.001Social MediaT1593.002Search EnginesT1594Search Victim-Owned WebsitesT1596Search Open Technical DatabasesT1678Delay ExecutionT1680Local Storage DiscoveryT1682Query Public AI ServicesT1684.001Impersonation
COVERED (109)
T1003.001LSASS Memory111 det.T1005Data from Local System47 det.T1007System Service Discovery15 det.T1012Query Registry25 det.T1016System Network Configuration Discovery40 det.T1020Automated Exfiltration20 det.T1021.001Remote Desktop Protocol53 det.T1027Obfuscated Files or Information606 det.T1027.001Binary Padding3 det.T1027.002Software Packing2 det.T1027.010Command Obfuscation38 det.T1027.012LNK Icon Smuggling1 det.T1027.013Encrypted/Encoded File8 det.T1027.015Compression2 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location45 det.T1036.007Double File Extension4 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel32 det.T1053.005Scheduled Task100 det.T1055Process Injection81 det.T1055.001Dynamic-link Library Injection13 det.T1055.012Process Hollowing9 det.T1056.001Keylogging4 det.T1057Process Discovery21 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1059.006Python51 det.T1059.007JavaScript63 det.T1070.004File Deletion43 det.T1070.006Timestomp10 det.T1071.001Web Protocols81 det.T1071.002File Transfer Protocols1 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1098.007Additional Local or Domain Groups10 det.T1102.001Dead Drop Resolver8 det.T1102.002Bidirectional Communication16 det.T1105Ingress Tool Transfer184 det.T1106Native API29 det.T1111Multi-Factor Authentication Interception1 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1114.002Remote Email Collection18 det.T1114.003Email Forwarding Rule15 det.T1115Clipboard Data16 det.T1124System Time Discovery4 det.T1133External Remote Services74 det.T1136.001Local Account43 det.T1140Deobfuscate/Decode Files or Information58 det.T1176.001Browser Extensions5 det.T1185Browser Session Hijacking13 det.T1190Exploit Public-Facing Application227 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1204.004Malicious Copy and Paste9 det.T1205Traffic Signaling1 det.T1217Browser Information Discovery4 det.T1218.005Mshta49 det.T1218.010Regsvr3243 det.T1218.011Rundll3275 det.T1219.002Remote Desktop Software52 det.T1489Service Stop58 det.T1497.001System Checks6 det.T1505.003Web Shell65 det.T1518.001Security Software Discovery10 det.T1534Internal Spearphishing234 det.T1539Steal Web Session Cookie16 det.T1543.003Windows Service79 det.T1546.001Change Default File Association7 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1552.001Credentials In Files61 det.T1552.004Private Keys23 det.T1553.002Code Signing4 det.T1555.003Credentials from Web Browsers16 det.T1557Adversary-in-the-Middle39 det.T1559.001Component Object Model17 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools316 det.T1562.004Disable or Modify System Firewall48 det.T1564.002Hidden Users8 det.T1564.003Hidden Window11 det.T1566Phishing1100 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1567.002Exfiltration to Cloud Storage31 det.T1568Dynamic Resolution11 det.T1583Acquire Infrastructure1 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1587Develop Capabilities4 det.T1587.001Malware10 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1598Phishing for Information1002 det.T1598.003Spearphishing Link312 det.T1608.001Upload Malware3 det.T1620Reflective Code Loading15 det.T1656Impersonation223 det.T1657Financial Theft15 det.T1685Disable or Modify Tools279 det.T1686Disable or Modify System Firewall19 det.