A massive trove of internal files from North Korea’s Kimsuky advanced persistent threat (APT) group has been leaked on a dark web forum, revealing the inner workings of one of Pyongyang’s most active cyber espionage units.
The leaked materials, including virtual machine images, phishing kits, rootkits, cracked security tools, and more than 20,000 browser history records, offer a rare glimpse into the daily tools and tradecraft of Kimsuky, also known as APT43, Thallium, and Velvet Chollima. The group, active since at least 2012, is believed to be part of North Korea’s cyber apparatus, tasked with espionage operations against government agencies, researchers, and institutions in South Korea, the US, Japan, and Europe.
Unlike prior intelligence based on malware samples or isolated indicators of compromise, the recent leak includes full environments used by an individual operator, known simply as “KIM.” The first dump appears to be from a guest virtual machine on Deepin Linux 20.9, showing direct integration with a host Windows system. Researchers found evidence of active development and operational testing, including a screenshot labeled kim_desktop.jpg and a structured file index cataloged in ./file-lists.
The data includes extensive browsing records from Brave and Chrome browsers, revealing communication with dozens of email addresses and the use of browser extensions for spoofing, cookie manipulation, and proxy control. A backdoor manual was also found, with warnings in Chinese against misuse, suggesting potential code sharing or cross-national collaboration. A second set of files came from a VPS server identified as vps1735811325, hosted by vps.bz, which was actively used in spear-phishing campaigns. This server contained phishing components, SSL certificates, and authentication logs, providing deep insight into how phishing attacks were staged and maintained.
Several custom malware implants were found, including:
-
Tomcat kernel rootkit: A stealthy Linux kernel module with TCP knock and SSL reverse shell capabilities.
-
Cobalt Strike personal beacon: A cracked and customized version with unique command-and-control profiles.
-
Ivanti “RootRot” implant: A persistent backdoor initially mistaken as a vulnerability, capable of surviving security patches.
-
Bushfire exploit kit: A toolkit weaponizing 2025 Ivanti CVEs, with code overlaps tied to Chinese group UNC5221.
-
SpawnChimera backdoor: An implant communicating via spoofed TLS Client Hello packets to evade detection.
The phishing infrastructure revealed kits designed to mimic South Korean government websites, with anti-crawler measures to evade early detection by security companies. There was also evidence of a forked Android tool (a modified version of “ToyBox”) repurposed for mobile espionage, though analysis on that component remains ongoing.