Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook Date: 09/05/2025 Tags: APT43, China, Cyber Espionage, North Korea --- Executive Summary A significant data breach dubbed the “Kim” dump exposes North Korea-affiliated Kimsuky (APT43) cyber operations, revealing credential theft tactics targeting South Korean and Taiwanese networks. The leak shows a hybrid operation involving DPRK attribution combined with Chinese tooling and infrastructure, including bash histories, phishing domains, OCR workflows, compiled malware, and rootkits. This insight highlights expansion in activities, actor nature, and goals in infiltrating South Korean governmental systems, potentially with regional Chinese support. The report is divided into: Technical analysis of leaked materials Motivational and strategic goals of the actor Comprehensive threat intelligence report for analysts --- Part I: Technical Analysis Leak Overview The dump contains terminal histories showing active manual malware development (NASM assembler used for shellcode). OCR commands parsed Korean-language PKI and VPN PDF documents for configuration extraction. Privileged Access Management (PAM) logs show password changes and usage of high-level administrative accounts. Phishing infrastructure mimics legitimate South Korean government websites, using domains like nid-security[.]com to conduct Adversary-in-the-Middle (AiTM) credential theft. Targets include Taiwanese government and academic institutions, with network reconnaissance including access to .git repositories. Embedded Linux rootkit employs syscall hooking and stealth persistence for covert command-and-control operations. Credential Theft Focus Stolen South Korean Government PKI material was evident in leaked .key files tied to identity-bound certificates. PAM logs reflect administrative password rotations marked "change complete" (변경완료) affecting privileged accounts like oracle, svradmin, and app_adm01, signifying persistent privileged access. Strategy centers on credential harvesting, retention of privileged digital identity, and exploitation within trusted government environments. Phishing Infrastructure Extensive, regionally tailored domains mimicking Korean government and service portals (e.g., dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr). Burner email addresses tied to phishing campaigns capable of real-time credential capture via TLS proxies. Use of AiTM phishing methods indicates evolution beyond simple phishing documents. Malware Development Manual NASM shellcode compilation targeting Windows (-f win32), with API call obfuscation to evade detection. Use of offensive tools from GitHub/Gitee, including TitanLdr, minbeacon, and CobaltStrike extensions. Network reconnaissance via proxy configuration extraction using proxyres library suggests attempts to manipulate network traffic and evade defenses. Rootkit Implant A stealthy Linux kernel-mode rootkit (vmmisc.ko) supports syscall hooking to hide files/processes and includes SOCKS5 proxy, backdoor shells, and encrypted command sessions. Implant installation mimics legitimate system file paths (/usr/lib64/tracker-fs) to avoid detection. Commands exist for hiding/unhiding files, managing backdoors, and proxying traffic. Implant characteristics align with known DPRK tools emphasizing stealth, persistence, and covert data exfiltration. OCR Reconnaissance OCR commands (ocrmypdf) extracted bilingual Korean/English data from classified Korean PKI and VPN specification PDFs, indicating efforts to understand and clone national identity infrastructures. SSH and Authentication Log Analysis Brute-force SSH attempts came from IPs tied to China and VPS providers known for malicious activity. PAM logs show successful superuser logins labeled "Super Administrator" in Korean,