Exposed ‘Kim’ Dump Exposes Kimsuky Hackers New Tactics, Techniques, and Infrastructure

A massive data breach in early September 2025 attributed to a cyber actor known simply as “Kim” laid bare an unprecedented view into the operational playbook of Kimsuky (APT43).

The leak, comprising terminal history files, phishing domains, OCR workflows, compiled stagers, and a full Linux rootkit, revealed a credential-centric campaign that targeted South Korean government PKI systems and Taiwanese academic networks.

The artifacts include bash histories that showcase iterative shellcode development with NASM, alongside OCR commands used to extract configurations from Korean-language PDF documents related to PKI and VPN deployments.

The scope of the breach highlights an evolution in technique, blending old-school rootkit persistence with sophisticated adversary-in-the-middle phishing infrastructure.

Domaintools analysts identified evidence of domain telemetry pointing to a sprawling network of malicious sites mimicking official Korean portals, including nid-security.com and webcloud-notice.com.

These sites employed real-time TLS proxies to intercept credentials, a marked shift from document-based harvesting toward active AiTM interception.

The dump further contained PAM logs detailing administrative password rotations—tagged 변경완료 (“change complete”)—for high-privilege accounts such as oracle, svradmin, and app_adm01. Plaintext GPKI key files like 136백운규001_env.key confirmed direct compromise of South Korean government cryptographic assets.

Beyond South Korea, Domaintools researchers noted that the actor conducted targeted reconnaissance of Taiwanese government and research institutions, accessing .git directories to enumerate exposed source repositories and harvest embedded secrets.

IP addresses such as 163.29.3.119 and 118.163.30.45, registered to Taiwanese government backbones, underscore deliberate supply-chain probing.

The presence of burner email addresses linked to phishing kits, alongside logs of reconnaissance against gitee.com and baidu.com, reflects a hybrid DPRK–PRC footprint that leverages Chinese infrastructure for staging and evasion.

Infection Mechanism

A closer examination of the malware’s infection mechanism reveals a two-stage loader that combines custom shellcode with publicly available frameworks.

The initial payload is a handcrafted NASM shellcode stub compiled with flags like -f win32, designed to allocate memory via VirtualAlloc and resolve Win32 API calls through hashed import tables:-

; start.asm
BITS 32
extern VirtualAlloc
section .text
_start:
    push 0
    push 4096
    push 0x3000
    push -1
    call [VirtualAlloc]
    ; Hash API resolution and payload injection follows

Once memory is allocated, the loader decrypts and patches a secondary payload—often a CobaltStrike-derived stager—into the process before transferring execution.

This approach evades signature-based detection, as the shellcode is polymorphic and the API calls are obfuscated by simple XOR hashing routines.

Persistence is achieved through a bespoke Linux rootkit, vmmisc.ko, which hooks syscalls such as read and getdents to conceal files, directories, and network sockets.

Upon insertion via insmod /usr/lib64/tracker-fs/vmmisc.ko, the rootkit decompresses an embedded userland backdoor binary, then installs a SOCKS5 proxy and PTY-based reverse shell protected by a passphrase (testtest).

The rootkit’s dual-mode binary embedding technique merges the kernel module and userland executable, leaving only the .ko file on disk to thwart forensic discovery.

This infection chain underscores a blend of manual tool assembly and opportunistic use of open-source repositories such as TitanLdr and Blacklotus, demonstrating Kimsuky’s growing sophistication.

Organizations across South Korea and Taiwan must now anticipate multi-stage, credential-first attacks that combine low-level shellcode engineering with stealthy kernel-mode implants.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.