Analyst Report
Back to Newsroom

Cybereason Researchers Uncover North Korean APT Operation Targeting Government, Defense and Human Rights Groups

Nov 2, 2020

Cybereason, the leader in future-ready attack protection, today announced that the Cybereason Nocturnus Team has identified a newly discovered modular spyware suite dubbed KGH_SPY and a new malware strain dubbed CSPY Downloader being employed in attacks by cyber espionage group Kimsuky which is believed to be operating on behalf of the North Korean regime.

This APT group has been observed targeting a wide array of victims that include public and private sector companies in the U.S., Europe, Japan, South Korea and Russia. The target organizations include pharmaceutical and research companies working on COVID-19 therapies, government and defense organizations, journalists and various human rights groups. The full report is available here:

Key Findings:

  • -Discovery of a New Modular Spyware Suite: KGH_SPY is a modular suite of tools that provides the threat actors with reconnaissance, keylogging, information stealing and backdoor capabilities
  • -Discovery of a Stealthy New Malware: CSPY Downloader is a tool designed to evade analysis and download additional payloads
  • -New Infrastructure: Newly discovered infrastructure registered between 2019-2020 that overlaps with another Kimsuky’s malware called BabyShark that was used in the past to target US-based Think tanks
  • -Anti-Forensics: The creation/compilation timestamps of malware in the report appear to have been tampered with and backdated to 2016 in an attempt to thwart forensic investigation
  • -Behavioral and Code Similarities to Other Kimsuky Malware: The newly discovered malware shares various behavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared strings; file naming convention; string decryption algorithms; PDB paths referencing authors / projects
  • -Undetected by Antivirus: At the time of writing this report, some of the mentioned tools are not detected by any antivirus vendors except Cybereason
  • -Previous Targets Include: Pharmaceutical/Research companies working on COVID-19 vaccines and therapies; UN Security Council; South Korean Ministry of Unification; Various Human Rights Organizations; Korea Institute for Defense Analysis; Various Education and Academic Organizations; Various Think Tanks; Government Research Institutes; Journalists covering Korean Peninsula relations; South Korean Military


Kimsuky (aka Velvet Chollima, Black Banshee and Thallium) has been active since 2012 and is known for their complex infrastructure that uses free-registered domains, compromised domains and private domains registered by the group. The Cybereason Nocturnus Team also observed operational infrastructure overlaps with BabyShark malware and connections to malware such as the AppleSeed backdoor.

The KGH_SPY suite infection vector appears to be by way of Word documents containing malicious macros, and the malware includes several components used to harvest information, run arbitrary commands and spy on the user activities by way of a keylogger and a backdoor component. Some of the components of the KGH Spyware suite remain undetected by antivirus vendors.

CSPY Downloader is a sophisticated tool with extensive anti-analysis and evasion capabilities that allow the attackers to determine if “the coast is clear” before downloading additional payloads. In addition to the phishing documents which focus on Korean-related topics, other forensic evidence embedded in the malware itself includes Korean language snippets from the time of the malware’s creation.

“Kimsuky has a rich and notorious history dating back to 2012 of targeting South Korea, but over the past few years they have expanded their global reach. Our newest discovery shows Kimsuky carrying out targeted cyber espionage campaigns against an array of victims including governments, research institutes and human rights groups. Since the new malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.

About Cybereason
Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere. Cybereason is a privately held, international company headquartered in Boston with customers in more than 30 countries.

Media Contact:

Bill Keeler
Senior Director, Global Public Relations
(929) 259-3261