Cybersecurity
In early September 2025, a significant data breach attributed to a cyber actor known as “Kim” exposed the operational methods of Kimsuky (APT43). This breach provided extensive insights into their tactics and techniques.
Technical Details
The breach included terminal history files, phishing domains, OCR workflows, compiled stagers, and a complete Linux rootkit. These elements revealed a focus on credential-based campaigns targeting South Korean government PKI systems and Taiwanese academic networks.
Among the leaked data were bash histories illustrating iterative shellcode development with NASM and OCR commands used for extracting configurations from Korean-language PDF documents related to PKI and VPN deployments.
New Techniques and Infrastructure
The breach demonstrated an evolution in Kimsuky’s techniques, combining traditional rootkit persistence with advanced adversary-in-the-middle phishing infrastructure. Domain telemetry pointed to a network of malicious sites mimicking official Korean portals, such as nid-security.com and webcloud-notice.com, employing real-time TLS proxies for credential interception.
The data included PAM logs indicating administrative password rotations for high-privilege accounts. Plaintext GPKI key files confirmed direct compromises of South Korean government cryptographic assets.
Expansion Beyond South Korea
Research indicated that the actor conducted reconnaissance on Taiwanese government and research institutions, targeting .git directories to access exposed source repositories and harvest embedded secrets. IP addresses registered to Taiwanese government backbones highlighted deliberate supply-chain probing.
Burner email addresses associated with phishing kits and reconnaissance logs against gitee.com and baidu.com suggest a combined DPRK–PRC approach, utilizing Chinese infrastructure for staging and evasion.
Infection Mechanism
The malware’s infection mechanism involves a two-stage loader combining custom shellcode with publicly available frameworks. The initial payload is a handcrafted NASM shellcode stub, allocating memory via VirtualAlloc and resolving Win32 API calls through hashed import tables.
; start.asm
BITS 32
extern VirtualAlloc
section .text
_start:
push 0
push 4096
push 0x3000
push -1
call [VirtualAlloc]
; Hash API resolution and payload injection follows
Once memory is allocated, the loader decrypts and patches a secondary payload, often a CobaltStrike-derived stager, into the process before transferring execution. This method evades signature-based detection, as the shellcode is polymorphic and the API calls are obfuscated.
Persistence is achieved through a Linux rootkit, vmmisc.ko, which hooks syscalls such as read and getdents to conceal files, directories, and network sockets. Upon insertion, the rootkit installs a SOCKS5 proxy and a PTY-based reverse shell protected by a passphrase.
Conclusion
This breach highlights Kimsuky’s sophisticated approach, combining manual tool assembly with open-source repositories. Organizations in South Korea and Taiwan must anticipate multi-stage, credential-first attacks involving low-level shellcode engineering and stealthy kernel-mode implants.
