North Korean Kimsuky Hackers Data Breach: Insider Leaks Sensitive Information Online

A significant leak of internal tools, backdoors, and intelligence-gathering artifacts linked to North Korea’s state-sponsored APT group Kimsuky has surfaced online, allegedly by insiders. This extensive 34,000-page data dump reveals live phishing infrastructure, kernel-level backdoors, Cobalt Strike payloads, and stolen government certificates. Key highlights include the complete phishing toolkit targeting the Defence Counterintelligence Command (dcc.mil.kr), the discovery of a Tomcat kernel LKM backdoor, and a custom Cobalt Strike beacon. The breach also encompasses stolen Government Public Key Infrastructure (GPKI) certificates, Ministry of Foreign Affairs (MoFA) email server code, and persistent access to internal South Korean networks through an SSO tool named onnara_sso.

According to cybersecurity expert Saber, the leaked archive contains the full source code for a custom phishing platform designed to deceive South Korean officials. The files include generator.php and config.php, which feature an IP blacklist to evade detection by security vendors. Victims who enter their credentials on the spoofed HTTPS domain are redirected to the legitimate dcc.mil.kr site, masking the theft. Additionally, the leak reveals a Tomcat Remote Kernel Backdoor that opens an SSL-encrypted channel upon receiving a specific TCP SEQ and IP ID “knock.” The presence of a Private Cobalt Strike Beacon and a full dump of the MoFA email server code further underscores the severity of this breach. Organisations in South Korea and allied nations are urged to audit exposed code patterns, revoke compromised certificates, and enhance network-level detection capabilities. 

Categories: Cybersecurity Breach, Phishing Infrastructure, Malware Development 

Tags: Kimsuky, Phishing, Backdoor, Cobalt Strike, Stolen Certificates, South Korea, Cybersecurity, Insider Leak, Government Networks, Threat Intelligence