Cyber Incident Victim: South Korea
Date:
May 2021
Location:
South Korea
Summary
The North Korean APT group Kimsuky conducted cyberespionage campaigns targeting high-profile South Korean government entities, including the Ministry of Foreign Affairs, using spear-phishing emails distributing malicious archive files containing the AppleSeed backdoor. This malware collected keystrokes, screenshots, documents, and removable device data, exfiltrating information via encrypted HTTP POST requests before deletion. The group employed phishing infrastructure mimicking legitimate websites to harvest credentials from services like Gmail and Outlook, reused C2 infrastructure across campaigns, and developed mobile variants of AppleSeed for Android devices. Kimsuky also gathered intelligence on universities and financial institutions within the country, while leveraging social media platforms like Twitter and fraudulent Gmail accounts for target reconnaissance and domain registration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2021, the North Korean state-sponsored threat group Kimsuky targeted South Korean government entities using an updated version of its AppleSeed backdoor delivered through spear-phishing campaigns. Researchers at Malwarebytes documented the attack chain, which began with emails containing a malicious ZIP archive attachment named "외교부 가판 2021-05-07.zip" (translated as "Ministry of Foreign Affairs Edition 2021-05-07"). The archive contained a JavaScript file disguised as a PDF that utilized double Base64 encoding to conceal both a decoy document and the AppleSeed payload. Attackers leveraged MSXML Base64 decoding and certutil.exe to decode and execute the final payload—a UPX-packed DLL file with custom encryption obscuring API calls and strings. Upon installation, AppleSeed created separate threads to collect keystrokes, capture screenshots, harvest documents, and scan removable media devices before compressing, encrypting, and exfiltrating data via HTTP POST requests to command-and-control servers. The malware automatically deleted exfiltrated data from victim machines post-transfer. Kimsuky reused previously established phishing infrastructure for C2 communications, including domains like ns1.microsoft-office[.]us registered through a Gmail account (tjkim1991@gmail[.]com) associated with the group.
The campaign specifically targeted high-ranking officials across South Korea's Ministry of Foreign Affairs, including the 1st Secretary, 2nd Secretary, Trade Minister, Deputy Consul General in Hong Kong, and an International Atomic Energy Agency Nuclear Security Officer. Additional targets included the Ambassador of Sri Lanka’s Embassy and a Foreign Affairs and Trade Counsellor. Kimsuky also gathered reconnaissance data on Seoul National University, Daishin Financial Security Company, and the Korea Internet and Security Agency (KISA), though no confirmed compromises of these entities occurred. The group employed multilingual phishing pages (English/Korean) with mobile detection capabilities and mirrored AppleSeed’s functionality in an Android variant using identical C2 infrastructure. Researchers identified overlapping infrastructure with prior Kimsuky campaigns, including credential-phishing domains mimicking Gmail, Outlook, Naver, and KISA login portals. The threat actors used Twitter accounts for target monitoring to craft tailored spear-phishing lures, maintaining operational continuity through infrastructure repurposing and modular malware development.