Cyber Resilience

Threat actor · all actors

KimsukyG0094 state

🇰🇵 KP · RGB

aka Kimsuky, Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427, Springtail, Earth Kumiho, PatheticSlug

Last updated: 2026-07-03

3attributed CVEs
171ATT&CK techniques
10.6IDF score (tooling uniqueness)
1exclusive CVEs
2025–2026years active

About this actor

[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI) DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under [Lazarus Group](https://attack.mitre.org/groups/G0032), rather than

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2025-49706 KEV10.06.50.99882025-07-08see CVE
CVE-2025-12562 5.57.50.00762025-12-11see CVE
CVE-2026-22813 3.56.10.00912026-01-12see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-485 / 17150%
CM-674 / 17143%
CM-263 / 17137%
SI-359 / 17134%
AC-653 / 17131%
AC-352 / 17130%
CA-751 / 17130%
CM-748 / 17128%
SC-746 / 17127%
AC-245 / 17126%
AC-442 / 17125%
SI-741 / 17124%
IA-239 / 17123%
AC-534 / 17120%
CM-533 / 17119%

Co-occurring actors

Similar actors