adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
cti/mobile-attack/intrusion-set/intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f.json
T
adpare 316dc61f93 ATT&CK v19.0 Mobile
2026-04-27 15:19:48 -04:00

179 lines
12 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--301258e4-eca0-4d0a-9417-87803566155b",
"spec_version": "2.0",
"objects": [
{
"type": "intrusion-set",
"spec_version": "2.1",
"id": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f",
"created": "2019-08-26T15:03:02.577Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0094",
"external_id": "G0094"
},
{
"source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026",
"description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.",
"url": "https://blog.cloudflare.com/2026-threat-report/"
},
{
"source_name": "PatheticSlug",
"description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)"
},
{
"source_name": "Black Banshee",
"description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)"
},
{
"source_name": "THALLIUM",
"description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)"
},
{
"source_name": "APT43",
"description": "(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)"
},
{
"source_name": "Emerald Sleet",
"description": "(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA427 April 2024)"
},
{
"source_name": "TA427",
"description": "(Citation: Proofpoint TA427 April 2024)"
},
{
"source_name": "Earth Kumiho",
"description": "(Citation: Rapid7 Threat Landscape Actors March 2026)"
},
{
"source_name": "Kimsuky",
"description": "(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)"
},
{
"source_name": "Springtail",
"description": "(Citation: Symantec Troll Stealer 2024)"
},
{
"source_name": "Velvet Chollima",
"description": "(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)"
},
{
"source_name": "AhnLab Kimsuky Kabar Cobra Feb 2019",
"description": "AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.",
"url": "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf"
},
{
"source_name": "EST Kimsuky April 2019",
"description": "Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.",
"url": "https://blog.alyac.co.kr/2234"
},
{
"source_name": "Netscout Stolen Pencil Dec 2018",
"description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.",
"url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/"
},
{
"source_name": "Zdnet Kimsuky Dec 2018",
"description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.",
"url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/"
},
{
"source_name": "CISA AA20-301A Kimsuky",
"description": "CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.",
"url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a"
},
{
"source_name": "Cybereason Kimsuky November 2020",
"description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.",
"url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
},
{
"source_name": "EST Kimsuky SmokeScreen April 2019",
"description": "ESTSecurity. (2019, April 17). Analysis of the APT Campaign \u2018Smoke Screen\u2019 targeting to Korea and US \ucd9c\ucc98: https://blog.alyac.co.kr/2243 [\uc774\uc2a4\ud2b8\uc2dc\ud050\ub9ac\ud2f0 \uc54c\uc57d \ube14\ub85c\uadf8]. Retrieved September 29, 2021.",
"url": "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf"
},
{
"source_name": "Malwarebytes Kimsuky June 2021",
"description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.",
"url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/"
},
{
"source_name": "Proofpoint TA427 April 2024",
"description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427\u2019s Art of Information Gathering. Retrieved May 3, 2024.",
"url": "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering"
},
{
"source_name": "Mandiant APT43 March 2024",
"description": "Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.",
"url": "https://services.google.com/fh/files/misc/apt43-report-en.pdf"
},
{
"source_name": "Microsoft Threat Actor Naming July 2023",
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
},
{
"source_name": "MSFT-AI",
"description": "Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.",
"url": "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/"
},
{
"source_name": "Rapid7 Threat Landscape Actors March 2026",
"description": "Rapid7. (2026, March 18). 2026 GLOBAL THREAT LANDSCAPE REPORT: Decoding the Accelerated Cyber Attack Cycle. Retrieved April 18, 2026.",
"url": "https://www.rapid7.com/cdn/assets/bltc1ddd6561ab54a26/69ba67de50ca691edcd3f5b7/rapid7-threat-landscape-report-2026.pdf"
},
{
"source_name": "Symantec Troll Stealer 2024",
"description": "Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.",
"url": "https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage"
},
{
"source_name": "Securelist Kimsuky Sept 2013",
"description": "Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.",
"url": "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/"
},
{
"source_name": "ThreatConnect Kimsuky September 2020",
"description": "ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.",
"url": "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2026-04-23T18:46:50.938Z",
"name": "Kimsuky",
"description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) \n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)\n\nDPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under [Lazarus Group](https://attack.mitre.org/groups/G0032), rather than tracking operationally distinct subgroups.",
"aliases": [
"Kimsuky",
"Black Banshee",
"Velvet Chollima",
"Emerald Sleet",
"THALLIUM",
"APT43",
"TA427",
"Springtail",
"Earth Kumiho",
"PatheticSlug"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
"x_mitre_version": "5.2",
"x_mitre_attack_spec_version": "3.3.0",
"x_mitre_contributors": [
"Dongwook Kim, KISA",
"Jaesang Oh, KC7 Foundation",
"Taewoo Lee, KISA",
"Wai Linn Oo, Kernellix Co.,Ltd."
],
"x_mitre_domains": [
"enterprise-attack",
"mobile-attack"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink