{"description": "Enterprise techniques used by Kimsuky, ATT&CK group G0094 (v5.2)", "name": "Kimsuky (G0094)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.007", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has added accounts to specific groups with net localgroup.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)  [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged Dropbox for hosting payloads and uploading victim system information. (Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094)  has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has used the Send() function to compress all collected data into a zip file named init,.zip, then renames it to init.dat, before exfiltration.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1020", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated data to C2 servers using an automated script that executes every 10 minutes and after successful checks for the presence of pre-designated staged filenames.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected sensitive browser data using the function `GetBrowserData()` to include login credentials, bookmarks, cookies, and encryption keys.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1185", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to use form-grabbing to extract emails and passwords from web data forms.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to steal data from the clipboard.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has executed a variety of PowerShell scripts including Invoke-Mimikatz.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Aryaka Kimsuky July 2025)  [Kimsuky](https://attack.mitre.org/groups/G0094) has also utilized PowerShell scripts for execution, persistence, and defense evasion.(Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged PowerShell\u2019s cmdlet `Expand-Archive` to extract contents of zip files into the same directory.(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has employed ClickFix type tactics enticing victims to copy and paste malicious PowerShell commands and scripts, where the scripts ultimately led to [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used `cmd.exe` to automatically open downloaded decoy pdf documents with the system\u2019s default PDF viewer.(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has utilized malicious payloads to create reverse shells within the victim environment.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used batch scripts to eventually run [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged VBScript (VBS) scripts to execute temp.vbs every 19 minutes using a scheduled task to run [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky) [Kimsuky](https://attack.mitre.org/groups/G0094) has used [TRANSLATEXT](https://attack.mitre.org/software/S1201), which contained four Javascript files for bypassing defenses, collecting sensitive information and screenshots, and exfiltrating data.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has created accounts with net user.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used browser extensions including Google Chrome to steal passwords and cookies from browsers. [Kimsuky](https://attack.mitre.org/groups/G0094) has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated HTTP Post request communications utilizing XOR with a designated key, followed by Base64 encoding.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected Office, PDF, and HWP documents from its victims.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also harvested victim files through the use of the `RecentFiles()` function that collects paths of recently accessed files by parsing .lnk shortcuts from `%APPDATA%\\Microsoft\\Windows\\Recent`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has staged collected data files under C:\\Program Files\\Common Files\\System\\Ole DB\\.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also gathered data in structured directories prior to exfiltration under the %TEMP% environment variable.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1678", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has utilized the Sleep function to ensure execution of scripts.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has decoded malicious VBScripts using Base64.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also decoded malicious PowerShell scripts using Base64.(Citation: Securonix Kimsuky February 2025)(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has decoded RC4 obfuscated files prior to downloading files from their infrastructure.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) created and used a mailing toolkit to use in spearphishing attacks.(Citation: VirusBulletin Kimsuky October 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Dynamic DNS (DDNS) services, such as FreeDNS or No-IP DDNS, to include servers located in South Korea.(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged stolen PII to create accounts.(Citation: Mandiant APT43 March 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has utilized a mutex to detect whether its malware is actively running on the victim host.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged PowerShell to store the Process ID (PID) of the currently running malicious PowerShell script into a file named pid.txt which is saved locally on the victim host in the %TEMP% Directory and is queried prior to execution of subsequent PowerShell script to prevent duplication.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated data over its C2 channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged Dropbox for uploading victim system information.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used RDP to establish persistence.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has used a custom script with a function called CreateFileList() that can scan all filesystem drives, prioritizing C:\\Users, to locate files and file extensions of interest that ultimately generates a file called `FileList.txt` saved within the victims %TEMP% Directory that contains the findings and the respective pathways.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.(Citation: Malwarebytes Kimsuky June 2021)(Citation: Proofpoint TA427 April 2024)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1589.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected victim employee name information.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1591", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used large language models (LLMs) to gather information about potential targets of interest.(Citation: MSFT-AI) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has run reg add \u2018HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\u2019 /v to hide a newly created user.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also been known to use `-WindowStyle Hidden` to conceal PowerShell windows.(Citation: Securonix Kimsuky February 2025)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged the PowerShell `-ErrorAction SilentlyContinue` command to continue execution through system events.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has deleted the exfiltrated data on disk after transmission. [Kimsuky](https://attack.mitre.org/groups/G0094) has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has deleted files using the `Remove-Item` PowerShell commandlet to remove traces of executed payloads.(Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also removed remnants of files used for delivery to include .log and .zip files.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Talos Kimsuky Nov 2021)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Securonix Kimsuky February 2025)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged Native Windows API functions such as `GetAsyncKeyState()` along with others to capture keystrokes every 50 milliseconds and stores data in a file stored in the temp directory.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has collected credentials from a fake Google account login page.(Citation: FBI_KimsukyQR_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged Component Object Model (COM) to create scheduled tasks to include using naming conventions that mimic legitimate applications.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged obfuscation VBScript to form a string in `WScript.Shell` which has downloaded a malicious payload to the victim environment.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1534", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has sent internal spearphishing emails for lateral movement after stealing victim information.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has enumerated drives.(Citation: Talos Kimsuky Nov 2021)(Citation: Securelist Kimsuky Sept 2013)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.(Citation: Kimsuky Malwarebytes) [Kimsuky](https://attack.mitre.org/groups/G0094) has also disguised payloads using legitimate file names including a PowerShell payload named chrome.ps1. (Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used a malicious QR code that masqueraded as a legitimate package delivery service.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)    ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used an additional filename extension to hide the true file type. [Kimsuky](https://attack.mitre.org/groups/G0094) has also masqueraded malicious LNK files as PDF objects using the double extension .pdf.lnk.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also modified the registry entry for `HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key for persistence with the name WindowsSecurityCheck.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1111", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a proprietary tool to intercept one time passwords required for two-factor authentication.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has utilized Native APIs to collect data from victim hosts and facilitate execution of malicious scripts.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019) [Kimsuky](https://attack.mitre.org/groups/G0094) has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions that complicate static analysis.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has performed padding of PowerShell command line code with over 100 spaces.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged dynamic API resolution using custom hashing techniques.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has encoded malicious PowerShell scripts using Base64.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used the LNK icon location to execute malicious scripts.(Citation: Aryaka Kimsuky July 2025)   [Kimsuky](https://attack.mitre.org/groups/G0094) has also padded the LNK target field properties with extra spaces to obscure the script.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated code within files by converting hexadecimal strings to decimal numbers using the `CLng function` in combination with processing arithmetic operations and leveraging the `Chr function` to generate readable characters.(Citation: Aryaka Kimsuky July 2025)  [Kimsuky](https://attack.mitre.org/groups/G0094) has also encoded files with Base64 and RC4.(Citation: Aryaka Kimsuky July 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has utilized XOR and RC4 to encode malicious payloads.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has delivered malicious payloads within Zip archives.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obtained and used tools such as Nirsoft WebBrowserPassVIew, [Mimikatz](https://attack.mitre.org/software/S0002), and [PsExec](https://attack.mitre.org/software/S0029).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has stolen a valid certificate that is used to sign the malware and the dropper.(Citation: S2W Troll Stealer 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has gathered credentials using [Mimikatz](https://attack.mitre.org/software/S0002) and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used spearphishing to gain initial access and intelligence.(Citation: MSFT-AI)(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also distributed emails with attached compressed zip files that contained malicious .LNK files masquerading as legitimate files.(Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has delivered tailored PDF documents that contain malicious links.(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used tailored spearphishing emails to gather victim information including contat lists to identify additional targets.(Citation: Mandiant APT43 March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used links in e-mail to steal account information including web beacons for target profiling.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Proofpoint TA427 April 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) has also utilized QR codes (also known as Quishing) to direct victims to malicious links through the reliance of a mobile device to scan a code with an embedded malicious URL.(Citation: EnkiWhiteHat_KimsukyDOCSWAP_Dec2025)(Citation: FBI_KimsukyQR_Jan2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) can gather a list of all processes running on a victim's machine.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also obtained running processes on the victim device utilizing PowerShell cmdlet `Get-Process`.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Win7Elevate to inject malicious code into explorer.exe.(Citation: Securelist Kimsuky Sept 2013)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to load DLLs via reflective injection by allocating memory using `VirtualAllocEx()`, then decrypting a DLL with `WriteProcessMemory()` and invoking execution through `CreateRemoteThread()`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1682", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used LLMs to identify think tanks, government organizations, and experts to inform targeting for spearphishing campaigns.(Citation: MSFT-AI) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has obtained specific Registry keys and values on a compromised host.(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.(Citation: Mandiant APT43 March 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) has also used reflective loading through .NET assembly using `[System.Reflection.Assembly]::Load`.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a modified TeamViewer client as a command and control channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Crowdstrike GTR2020 Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)(Citation: NaumaanProofpoint_GlobalClickFix_April2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has established persistence by creating a scheduled task named \u201cChromeUpdateTaskMachine\u201d through the PowerShell cmdlet `Register-ScheduleTask` which was set to execute another PowerShell script once, then five minutes after its creation and periodically repeat every 30 minutes.(Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also set scheduled tasks that run periodically using the PT1M repetition pattern leveraging naming conventions of Anti-Virus software to include \"AhnlabUpdate\".(Citation: Gen Digital Kimsuky HTTPTroy October 2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has captured browser screenshots using [TRANSLATEXT](https://attack.mitre.org/software/S1201).(Citation: Zscaler Kimsuky TRANSLATEXT) [Kimsuky](https://attack.mitre.org/groups/G0094) has also obtained screen captures with custom malware.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1596", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used LLMs to better understand publicly reported vulnerabilities.(Citation: MSFT-AI)(Citation: OpenAI-CTI) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1593", "showSubtechniques": true}, {"techniqueID": "T1593.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1594", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has searched for information on the target company's website.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used modified versions of open source PHP web shells to maintain access, often adding \"Dinosaur\" references within the code.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has disabled actively running virtual environments using the `KillMe` function to include VMware, Microsoft Hypervisors, and VirtualBox.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has also impersonated legitimate people, such as a foreign advisor, an embassy employee, and a think tank employee.(Citation: FBI_KimsukyQR_Jan2026) [Kimsuky](https://attack.mitre.org/groups/G0094) has also purported to be a Japanese diplomat to communicate with the victims.(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 \u2013 classname antivirusproduct.(Citation: KISA Operation Muzabi) [Kimsuky](https://attack.mitre.org/groups/G0094) has also obtained details on antivirus software through WMI queries using `Win32_OperatingSystem` and `SecurityCenter2.AntiVirusProduct`.(Citation: Securonix Kimsuky February 2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also checked the status of Windows Defender through the use `cmd /s sc query WinDefend`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Netscout Stolen Pencil Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) has also hosted malicious payloads on Dropbox.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used malware, such as [TRANSLATEXT](https://attack.mitre.org/software/S1201), to steal and exfiltrate browser cookies.(Citation: Zscaler Kimsuky TRANSLATEXT)(Citation: S2W Troll Stealer 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.(Citation: ThreatConnect Kimsuky September 2020)(Citation: S2W Troll Stealer 2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has executed malware with regsvr32s.(Citation: Gen Digital Kimsuky HTTPTroy October 2025)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has enumerated OS type, OS version, and other information using a script or the \"systeminfo\" command.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://attack.mitre.org/groups/G0094) has also obtained system information such as OS type, OS version, and system type through querying various Windows Management Instrumentation (WMI) classes including `Win32_OperatingSystem`.(Citation: Securonix Kimsuky February 2025)(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used `ipconfig/all` and web beacons sent via email to gather network configuration information.(Citation: Talos Kimsuky Nov 2021)(Citation: Proofpoint TA427 April 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) has also identified Host IP addresses leveraging the WMI class `Win32_NetworkAdapterConfiguration`.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has gathered the identity of the user by querying `System.Security.Principal` namespace using the `GetCurrent()` method.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used an instrumentor script to gather the names of all services running on a victim's system.(Citation: Talos Kimsuky Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has gathered the system time of the device using the PowerShell cmdlet `Get-Date`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used [TRANSLATEXT](https://attack.mitre.org/software/S1201) to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has accessed a Local State files associated with Chromium-based browsers that contain the AES key used to encrypt passwords stored in the browser to include `app_bound_encrypted_key`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used spearphishing attachments to entice victims into opening malicious files, including LNK files disguised with tailored filenames and fake extensions.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: NaumaanProofpoint_GlobalClickFix_April2025) [Kimsuky](https://attack.mitre.org/groups/G0094) has also delivered malicious payloads within archive files (e.g., ZIP), which display decoy documents upon execution while running malicious code in the background.(Citation: Gen Digital Kimsuky HTTPTroy October 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.004", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.(Citation: NaumaanProofpoint_GlobalClickFix_April2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has detected and killed virtual environments by using the PowerShell cmdlet `Get-CimInstance` that searches the classname of the computer system manufacturer through an if statement of `if($computerSystem.Manufacturer -match \"VMware\" -or $computerSystem.Manufacturer -match \"Microsoft\" -or $computerSystem.Manufacturer -match \"VirtualBox\")`.(Citation: Aryaka Kimsuky July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used [TRANSLATEXT](https://attack.mitre.org/software/S1201) and a dead drop resolver to retrieve configurations and commands from a public blog site.(Citation: Zscaler Kimsuky TRANSLATEXT) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Blogspot pages and a Github repository for C2.(Citation: Talos Kimsuky Nov 2021)(Citation: Zscaler Kimsuky TRANSLATEXT) [Kimsuky](https://attack.mitre.org/groups/G0094) has also leveraged Dropbox for downloading payloads and uploading victim system information.(Citation: Securonix Kimsuky February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Kimsuky", "color": "#66b1ff"}]}