Revealed: Kimsuky Hackers’ New Tactics, Techniques, and Infrastructure Uncovered in Exposed ‘Kim’ Dump

In early September 2025, a significant data breach attributed to a cyber actor known as “Kim” exposed the operational playbook of Kimsuky (APT43). The leak included terminal history files, phishing domains, OCR workflows, compiled stagers, and a complete Linux rootkit, revealing a credential-centric campaign targeting South Korean government PKI systems and Taiwanese academic networks. Artifacts from the breach showcased bash histories that illustrated iterative shellcode development using NASM, along with OCR commands for extracting configurations from Korean-language PDF documents related to PKI and VPN deployments. This breach highlighted an evolution in techniques, merging traditional rootkit persistence with advanced adversary-in-the-middle phishing infrastructure. Analysts from Domaintools identified a network of malicious sites mimicking official Korean portals, such as nid-security.com and webcloud-notice.com, which employed real-time TLS proxies to intercept credentials, marking a shift from document-based harvesting to active AiTM interception.

The breach also contained PAM logs detailing administrative password rotations, tagged 변경완료 (“change complete”), for high-privilege accounts like Oracle, Svradmin, and App_Adm01. Plaintext GPKI key files, such as 136백운규001_env.key, confirmed the direct compromise of South Korean government cryptographic assets. Beyond South Korea, researchers noted that the actor conducted targeted reconnaissance of Taiwanese government and research institutions, accessing .git directories to enumerate exposed source repositories and harvest embedded secrets. IP addresses like 163.29.3.119 and 118.163.30.45, registered to Taiwanese government backbones, indicated deliberate supply-chain probing. The presence of burner email addresses linked to phishing kits, along with logs of reconnaissance against Gitee.com and Baidu.com, reflected a hybrid DPRK–PRC footprint that utilised Chinese infrastructure for staging and evasion. A closer examination of the malware’s infection mechanism revealed a two-stage loader combining custom shellcode with publicly available frameworks, with the initial payload being a handcrafted NASM shellcode stub designed to allocate memory via VirtualAlloc and resolve Win32 API calls through hashed import tables. Once memory was allocated, the loader decrypted and patched a secondary payload—often a CobaltStrike-derived stager—into the process before transferring execution. 

Categories: Cybersecurity Breach, Malware Analysis, Phishing Techniques 

Tags: Data Breach, Cyber Actor, Kimsuky, Credential-Centric, South Korea, Phishing, Rootkit, Malware, Infection Mechanism, Reconnaissance