#Kimsuky

DPRK-aligned APT (also tracked as Velvet Chollima, TA427, Black Banshee)

Subscribe (RSS)


#Kimsuky

DPRK-aligned APT (Velvet Chollima, TA427, Black Banshee)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #Kimsuky

Week

0

IOCs tagged #Kimsuky

Month

4,541

IOCs tagged #Kimsuky

Year

12,988

IOCs tagged #Kimsuky

Counts as of 2026-06-29. Regenerated daily.

About #Kimsuky

  • Threat actor: DPRK-aligned APT active since at least 2012, also tracked as Velvet Chollima (CrowdStrike), TA427 (Proofpoint) and Black Banshee (Mandiant).
  • Targets: South Korean government, defense and academic organisations; expanded to think tanks and research institutions in the US, Japan and Europe.
  • Tactics: spear-phishing with weaponised HWP and PDF, custom backdoors (BabyShark, AppleSeed, GoldDragon), credential harvesting on legacy email portals, fake login pages.
  • References: MITRE ATT&CK G0094 · CISA AA20-301A.

Recent IOCs tagged #Kimsuky

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/kimsuky.

Date Type Value Source
Jun 21, 05:19 url https://drive.google.com/uc?export=download`&id=1FA9TvcakCgf... @byrne_emmy12099
Jun 21, 05:19 domain lutkdd.corpsecs.com @byrne_emmy12099
Jun 21, 05:19 url https://lutkdd.corpsecs.com @byrne_emmy12099
Jun 21, 05:19 sha256 aeb972af2b685115c16acde4689c39bb3ac892438b0f131369fe3e661a7d... @byrne_emmy12099
Jun 12, 14:57 url http://152.32.138.15 @_IMalihi_
Jun 12, 14:57 url http://51.79.185.184 @_IMalihi_
Jun 12, 14:57 url http://176.111.220.168 @_IMalihi_
Jun 12, 14:57 domain aointerviews.com @_IMalihi_
Jun 12, 14:57 url http://aointerviews.com @_IMalihi_
Jun 12, 14:57 domain cert.smartbtc.dynv6.net @_IMalihi_

Related tags

Tags that frequently co-occur with #Kimsuky.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Kimsuky?

Kimsuky is a DPRK-aligned advanced persistent threat (APT) group active since at least 2012. It is also tracked under the names Velvet Chollima (CrowdStrike), TA427 (Proofpoint) and Black Banshee (Mandiant). Kimsuky targets South Korean government, defense and academic organisations, and has expanded to research institutions in the United States, Japan and Europe. The group is known for spear-phishing, weaponised HWP and PDF documents, and custom backdoors such as BabyShark, AppleSeed and GoldDragon.

Is Kimsuky the same as Lazarus?

No. Both Kimsuky and Lazarus are DPRK-aligned, but they are distinct clusters tracked by different attribution analysts and target different verticals. Lazarus focuses on financial gain (cryptocurrency exchanges, banks). Kimsuky focuses on intelligence collection (foreign policy, defense, academic). The #Lazarus tag on TweetFeed groups its own IOCs separately.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Kimsuky-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Kimsuky subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Kimsuky IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).