Exklusiv: Nordkoreanische Hackergruppe hinter mutmaßlichem Datenleck enttarnt

Cyberangriff mit politischem Beigeschmack: Eine hochkarätige Hackergruppe aus Nordkorea steht im Verdacht, sensible Daten erbeutet zu haben. Die Methoden gleichen bekannten State-Sponsored-Attacken – während gleichzeitig der Bitcoin-Kurs neue ATHs jagt. Prioritäten, huh?

Technische Indizien deuten auf Lazarus Group: Die Taktik passt ins Muster der berüchtigten APT38, die bereits für die 81-Millionen-Dollar-Bitfinex-Hacks verantwortlich gemacht wurde. Diesmal könnten jedoch Regierungsnetzwerke im Visier stehen.

Security-Experten schlagen Alarm: ‚Diese Angriffe zeigen chirurgische Präzision – und werden dank Krypto-Washing immer schwerer zu verfolgen‘, kommentiert ein FSA-Insider. Gleichzeitig pumpen Retail-Investoren weiter Geld in shitcoins. Ironie des digitalen Zeitalters.

North Korean hacker group exposed in suspected data breach

According to Slow Mist security researchers, the leaked Kimsuky hacker data includes browser histories, phishing campaign logs, manuals for custom backdoors, and offensive systems such as the TomCat kernel backdoor, modified Cobalt Strike beacons, Ivanti RootRot, and Android-based malware variants like Toybox.

The reports suspect that the data breach occurred in early June 2025, and traced it back to two compromised systems linked to a Kimsuky operator working under the “KIM” alias. One was a Linux development workstation running Deepin 20.9, while the other was a public-facing VPS. The Linux system likely served as a malware development environment, while the other hosts spear-phishing material, including fake login portals and command-and-control links.

The hackers behind the breach, calling themselves “Saber” and “cyb0rg,” claim they accessed and exfiltrated the contents of both systems before publishing them online. While some indicators tie “KIM” to Kimsuky’s known infrastructure, other linguistic and technical clues suggest a possible Chinese link, so for now KIM’s origins remain unresolved.

Kimsuky has operated since at least 2012

Kimsuky has connections to North Korea’s Reconnaissance General Bureau since it first popped up in 2012. The group has long specialized in cyber-espionage targeting governments, think tanks, defense contractors, and academia.

In early 2025, Kimsuky campaigns like DEEP#DRIVE used multi-stage intrusion chains beginning with compressed ZIP files containing Windows shortcut (LNK) files disguised as documents. When victims open those files, the LNK files launch PowerShell commands that retrieve malicious payloads from services like Dropbox, using decoy documents to appear legitimate and avoid detection.

Kimsuky campaigns from March and April of 2025 introduced jumbled VBScript and PowerShell code embedded in malicious ZIP archives. These scripts assembled commands covertly, deploying malware to harvest keystrokes, capture clipboard data, and steal cryptocurrency wallet keys from browsers, including Chrome, Edge, Firefox, and Naver Whale.

Some operations shifted to using malicious LNK files paired with VBScript that invoked mshta.exe to execute reflective DLL-based malware directly in memory.

Around the same period, Kimsuky began deploying custom RDP Wrapper modules and proxy malware to enable stealthy remote access. Info-stealers like forceCopy were used to harvest credentials from browser configuration files without triggering standard password-access alerts.

The group has also abused popular cloud and code-hosting services. In one spear-phishing campaign in June 2025 targeting South Korea, private GitHub repositories were used to store malware and exfiltrated data. These campaigns delivered payloads such as XenoRAT while using Dropbox as a staging ground for stolen files. This dual use of trusted platforms for both delivery and exfiltration allowed Kimsuky to hide its malicious activity within the legitimate network’s traffic.

If you're reading this, you’re already ahead. Stay there with our newsletter.