Threat actor · all actors
KimsukyG0094 state
🇰🇵 KP · RGB
aka Kimsuky, Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427, Springtail, Earth Kumiho, PatheticSlug
Last updated: 2026-07-03
About this actor
[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI) DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under [Lazarus Group](https://attack.mitre.org/groups/G0032), rather than
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2025 — 2 CVE published, 1 KEV added
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2025-49706 KEV | 10.0 | 6.5 | 0.9988 | 2025-07-08 | see CVE |
CVE-2025-12562 | 5.5 | 7.5 | 0.0076 | 2025-12-11 | see CVE |
CVE-2026-22813 | 3.5 | 6.1 | 0.0091 | 2026-01-12 | see CVE |
T1003T1003.001T1005T1007T1012T1016T1020T1021T1021.001T1027T1027.001T1027.002T1027.007T1027.010T1027.012T1027.013T1027.015T1027.016T1033T1036T1036.004T1036.005T1036.007T1040T1041T1053T1053.005T1055T1055.001T1055.012T1056T1056.001T1056.003T1057T1059T1059.001T1059.003T1059.005T1059.006T1059.007T1070T1070.004T1070.006T1071T1071.001T1071.002T1071.003T1074T1074.001T1078T1078.003T1082T1083T1098T1098.007T1102T1102.001T1102.002T1105T1106T1111T1112T1113T1114T1114.002T1114.003T1115T1124T1132T1132.002T1133T1136T1136.001T1140T1176T1176.001T1185T1190T1204T1204.001T1204.002T1204.004T1205T1217T1218T1218.005T1218.010T1218.011T1219T1219.002T1480T1480.002T1489T1497T1497.001T1505T1505.003T1518T1518.001T1534T1539T1543T1543.003T1546T1546.001T1547T1547.001T1550T1550.002T1552T1552.001T1552.004T1553T1553.002T1555T1555.003T1557T1559T1559.001T1560
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 85 / 171 | 50% |
CM-6 | 74 / 171 | 43% |
CM-2 | 63 / 171 | 37% |
SI-3 | 59 / 171 | 34% |
AC-6 | 53 / 171 | 31% |
AC-3 | 52 / 171 | 30% |
CA-7 | 51 / 171 | 30% |
CM-7 | 48 / 171 | 28% |
SC-7 | 46 / 171 | 27% |
AC-2 | 45 / 171 | 26% |
AC-4 | 42 / 171 | 25% |
SI-7 | 41 / 171 | 24% |
IA-2 | 39 / 171 | 23% |
AC-5 | 34 / 171 | 20% |
CM-5 | 33 / 171 | 19% |
Co-occurring actors
- SharePoint ToolShell Exploitation 1 shared CVEs
- Mustang Panda 1 shared CVEs
- MuddyWater 1 shared CVEs
- Gamaredon Group 1 shared CVEs
- Volt Typhoon 1 shared CVEs
Similar actors
Similar TTPs
- Magic Hound 0.37
- Mustang Panda 0.37
- Lazarus Group 0.36
- APT32 0.36
- Gamaredon Group 0.34
Overlapping CVEs
- Gamaredon Group 0.33
- MuddyWater 0.25
- Mustang Panda 0.25
- Volt Typhoon 0.17
- SharePoint ToolShell Exploitation 0.11
Active in same years
- SharePoint ToolShell Exploitation 2.00
- Volt Typhoon 2.00
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
Same nation-state
- Operation Dream Job 1.00
- 3CX Supply Chain Attack 1.00
- Lazarus Group 1.00
- APT37 1.00
- APT38 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00