← Back to Actors
Kimsuky
KimsukyBlack BansheeVelvet ChollimaEmerald SleetTHALLIUMAPT43TA427SpringtailEarth KumihoPatheticSlug
[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national securi...
134
Techniques
109
Covered
25
Gaps
81%
Coverage
Coverage109/134
GAPS (25)
T1027.007Dynamic API ResolutionT1027.016Junk Code InsertionT1056.003Web Portal CaptureT1132.002Non-Standard EncodingT1480.002Mutual ExclusionT1560.003Archive via Custom MethodT1564.011Ignore Process InterruptsT1583.004ServerT1585Establish AccountsT1585.001Social Media AccountsT1585.002Email AccountsT1586.002Email AccountsT1588.003Code Signing CertificatesT1588.005ExploitsT1589.003Employee NamesT1591Gather Victim Org InformationT1593Search Open Websites/DomainsT1593.001Social MediaT1593.002Search EnginesT1594Search Victim-Owned WebsitesT1596Search Open Technical DatabasesT1678Delay ExecutionT1680Local Storage DiscoveryT1682Query Public AI ServicesT1684.001Impersonation
COVERED (109)
T1003.001LSASS Memory111 det.T1005Data from Local System47 det.T1007System Service Discovery15 det.T1012Query Registry24 det.T1016System Network Configuration Discovery39 det.T1020Automated Exfiltration20 det.T1021.001Remote Desktop Protocol53 det.T1027Obfuscated Files or Information561 det.T1027.001Binary Padding3 det.T1027.002Software Packing1 det.T1027.010Command Obfuscation38 det.T1027.012LNK Icon Smuggling1 det.T1027.013Encrypted/Encoded File8 det.T1027.015Compression2 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1036.007Double File Extension4 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel31 det.T1053.005Scheduled Task99 det.T1055Process Injection79 det.T1055.001Dynamic-link Library Injection13 det.T1055.012Process Hollowing9 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.006Python49 det.T1059.007JavaScript61 det.T1070.004File Deletion42 det.T1070.006Timestomp10 det.T1071.001Web Protocols80 det.T1071.002File Transfer Protocols1 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1098.007Additional Local or Domain Groups10 det.T1102.001Dead Drop Resolver7 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1111Multi-Factor Authentication Interception1 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1114.002Remote Email Collection18 det.T1114.003Email Forwarding Rule15 det.T1115Clipboard Data16 det.T1124System Time Discovery4 det.T1133External Remote Services72 det.T1136.001Local Account43 det.T1140Deobfuscate/Decode Files or Information58 det.T1176.001Browser Extensions5 det.T1185Browser Session Hijacking13 det.T1190Exploit Public-Facing Application216 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1204.004Malicious Copy and Paste8 det.T1205Traffic Signaling1 det.T1217Browser Information Discovery4 det.T1218.005Mshta49 det.T1218.010Regsvr3243 det.T1218.011Rundll3275 det.T1219.002Remote Desktop Software50 det.T1489Service Stop57 det.T1497.001System Checks6 det.T1505.003Web Shell63 det.T1518.001Security Software Discovery10 det.T1534Internal Spearphishing193 det.T1539Steal Web Session Cookie15 det.T1543.003Windows Service79 det.T1546.001Change Default File Association7 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1552.001Credentials In Files61 det.T1552.004Private Keys22 det.T1553.002Code Signing3 det.T1555.003Credentials from Web Browsers16 det.T1557Adversary-in-the-Middle32 det.T1559.001Component Object Model17 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools311 det.T1562.004Disable or Modify System Firewall48 det.T1564.002Hidden Users8 det.T1564.003Hidden Window11 det.T1566Phishing996 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1567.002Exfiltration to Cloud Storage29 det.T1568Dynamic Resolution10 det.T1583Acquire Infrastructure1 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1587Develop Capabilities4 det.T1587.001Malware10 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1598Phishing for Information902 det.T1598.003Spearphishing Link285 det.T1608.001Upload Malware3 det.T1620Reflective Code Loading14 det.T1656Impersonation184 det.T1657Financial Theft14 det.T1685Disable or Modify Tools278 det.T1686Disable or Modify System Firewall19 det.