North Korean state-proposed hackers, known as Kimsuki, have allegedly faced a data violation after two hackers, who describe themselves as contrary to Kimsuki values, stolen group data and leaked it online.
Two hackers, named ‘Kirpan’ and ‘CyB0RG’, cited moral reasons for their actions, saying that Kimsuki “is hacking for all wrong reasons,” claiming that they are operated by political agenda and follow the regulations of governance instead of practicing the art of hacking independently.
“Kimsuki, you are not a hacker. You are inspired by financial greed, to enrich your leaders, and to fulfill their political agenda,” read the address of hackers for hackers for hackers. Published in the latest issue of FractWhich was distributed at the DEF Con 33 conference.
“You steal from others and take your own side. You give importance to yourself on others: you are morally distorted.”
Hackers dumped a portion of Kimsuki’s backnd, highlighting their tooling and some of his stolen data that could provide insight into unknown expeditions and unwarde agreements.
Currently 8.9GB dump is hosted ‘Distributed the denial of mysteries’‘Website includes, others:
- Fishing logs with many dcc.mil.kr (defense counter -altitude) email accounts.
- Other targeted domains: spo.go.kr, Korea.KR, Daum.net, Kakao.com, Naver.com.
- .7Z Archive, including full source code of South Korea’s Ministry of External Affairs, (“KBI”), which includes webmail, admin and archive module.
- References to South Korean Civil Certificate and Curate List of Professors of the university.
- PHP “generator” toolkit with the trick of theft and redirect for the manufacture of fishing sites.
- Live Fishing Kit.
- Unknown binary archives (vos9aymz.tar.gz, black.x64.tar.gz) and executable (payload.bin, payload_test.bin, s.x64.bin) not in virustotal.
- Cobalt strike loaders, reverse shells, and onnara proxy modules are found in VMware Drag-And-Drop Cash.
- Chrome makes configures connected to the history and suspected github accounts (wwh1004.github.io, etc.), VPN procurement (Purevpn, zoogvpn) through Google Pay, and hacking forums (Freebuf.com, XAKER.RU).
- Google translation uses Chinese error messages and to visit the government and military sites.
- Bow history with SSH connections for internal systems.
Hackers note that some of the above are already known or previously documented, at least partially.
However, the dump gives a new dimension to the data and provides interlinking between Kimsuki equipment and activities for “burning” the infrastructure and methods of APT.
Bleepingcomputer has contacted various security researchers to confirm the leaked documents and its value and will update the story if we get a response.
While Breach will probably not have long -term effects on Kimsuki’s operation, it can create disruption in operational difficulties and ongoing campaigns for Kimsuki.
The latest digit of Phrack (#72) is currently available in only a limited physical per, but online version people should be ready to read for free in the next days. From here,
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
