#kimsuky

DPRK-aligned APT (also tracked as Velvet Chollima, TA427, Black Banshee)


#kimsuky

DPRK-aligned APT (Velvet Chollima, TA427, Black Banshee)

IOCs by window

Today

18

IOCs tagged #kimsuky

Week

142

IOCs tagged #kimsuky

Month

614

IOCs tagged #kimsuky

Year

1,914

IOCs tagged #kimsuky

Counts as of 2026-04-28. Regenerated daily.

About #kimsuky

  • Threat actor: DPRK-aligned APT active since at least 2012, also tracked as Velvet Chollima (CrowdStrike), TA427 (Proofpoint) and Black Banshee (Mandiant).
  • Targets: South Korean government, defense and academic organisations; expanded to think tanks and research institutions in the US, Japan and Europe.
  • Tactics: spear-phishing with weaponised HWP and PDF, custom backdoors (BabyShark, AppleSeed, GoldDragon), credential harvesting on legacy email portals, fake login pages.
  • References: MITRE ATT&CK G0094 · CISA AA20-301A.

Recent IOCs tagged #kimsuky

Latest 10 unique IOCs (by source and type) from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/kimsuky.

Date Type Value Source
Apr 28, 18:33 domain inlinepol1s.roxa.org @skocherhan
Apr 28, 18:33 url http://inlinepol1s.roxa.org @skocherhan
Apr 25, 18:00 domain bigfile.navcloudstorage.n-e.kr @phatomcandle
Apr 25, 18:00 url http://bigfile.navcloudstorage.n-e.kr @phatomcandle
Apr 25, 18:00 ip 163.245.215.46 @phatomcandle
Apr 22, 11:22 ip 118.194.248.246 @skocherhan
Apr 18, 21:52 url https://raw.githubusercontent.com/phishdestroy/destroylist/... @medsci_yb3r
Apr 18, 14:22 sha256 16c69532d7fb0360ca18376339e05196fe8f4f0ccad7ae13eefe453f893e61fd @skocherhan
Apr 17, 02:21 domain mobileokgroup.site @cyberwar_15
Apr 17, 02:21 url http://mobileokgroup.site @cyberwar_15

Related tags

Tags that frequently co-occur with #kimsuky in the past 30 days.

  • #DPRK
  • #APT
  • #C2
  • #malware
  • #Lazarus

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Kimsuky?

Kimsuky is a DPRK-aligned advanced persistent threat (APT) group active since at least 2012. It is also tracked under the names Velvet Chollima (CrowdStrike), TA427 (Proofpoint) and Black Banshee (Mandiant). Kimsuky targets South Korean government, defense and academic organisations, and has expanded to research institutions in the United States, Japan and Europe. The group is known for spear-phishing, weaponised HWP and PDF documents, and custom backdoors such as BabyShark, AppleSeed and GoldDragon.

Is Kimsuky the same as Lazarus?

No. Both Kimsuky and Lazarus are DPRK-aligned, but they are distinct clusters tracked by different attribution analysts and target different verticals. Lazarus focuses on financial gain (cryptocurrency exchanges, banks). Kimsuky focuses on intelligence collection (foreign policy, defense, academic). The #Lazarus tag on TweetFeed groups its own IOCs separately.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Kimsuky-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Kimsuky subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Kimsuky IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).