Kimsuky APT Data Leak – GPKI Certificates, Rootkits and Cobalt Strike Personal Uncovered

In late June 2025, a significant operational dump from North Korea’s Kimsuky APT group surfaced on a dark-web forum, exposing virtual machine images, VPS infrastructure, customized malware and thousands of stolen credentials.

This leak offers an unprecedented window into the group’s espionage toolkit, revealing how Kimsuky conducts phishing campaigns, maintains persistence and evades detection within critical networks across South Korea, the U.S., Japan and Europe.

Within hours of its posting, Foresiet analysts identified a wealth of artifacts—including browser histories, rootkit modules and stale GPKI certificates—that promise years of insight into DPRK cyber operations.

Foresiet researchers noted that the first dataset originated from the operator’s personal Deepin Linux virtual machine, complete with HGFS integration that preserved the host’s C: drive contents.

A desktop screenshot captures the attacker’s environment, showing custom proxy and user-agent extensions loaded in Chrome and Brave browsers.

The same VM dump revealed nearly 20,000 browser history records, exposing email addresses used for spear-phishing and links to internal backdoor documentation, such as a Chinese-language user guide for a custom implant.

The second dataset derived from a public-facing VPS hosted on vps.bz, where detailed auth.log files and SSL certificates were recovered.

These logs traced live spear-phishing operations against South Korea’s Defense Counterintelligence Command (dcc.mil.kr), the Supreme Prosecutor’s Office (spo.go.kr) and other high-value targets.

Among the most concerning finds were thousands of stolen South Korean Government Public Key Infrastructure (GPKI) certificates and their cracking tool, written in Java, enabling Kimsuky to impersonate officials and sign fraudulent documents without detection.

Kimsuky’s implant suite includes the Tomcat Kernel Rootkit, a loadable Linux module that hooks network functions for stealthy reverse shells, and a personalized Cobalt Strike beacon.

The beacon, last updated in June 2024, is embedded with custom C2 profiles and partially integrated with the kernel rootkit.

It uses HTTP over port 8172, posting to /submit.php with a spoofed IE9 user-agent string.

This bespoke build demonstrates that Kimsuky is merging open-source frameworks with proprietary code to evade conventional detection.

Persistence Tactics

One of the most sophisticated persistence mechanisms uncovered is the Tomcat Kernel Rootkit.

After initial installation via a crafted installer script, the rootkit registers itself in the kernel’s module list and patches key functions in inet_sock_create and tcp_v4_connect to enable port knocking and SSL reverse shells.

A simplified excerpt from its init routine illustrates how it hooks the system call table:-

static int __init rootkit_init(void) {
    write_cr0(read_cr0() & (~0x10000));
    original_syscall = syscall_table[__NR_kill];
    syscall_table[__NR_kill] = (unsigned long)hooked_kill;
    write_cr0(read_cr0() | 0x10000);
    return 0;
}

This kernel-level implant allows the operator to remain undetected by user-space monitoring tools, forcing defenders to deploy specialized host-based detection rules.

By combining encrypted C2 traffic with port-knock authorization, the module ensures that only pre-authenticated connections can trigger the backdoor, effectively masking its presence within normal network flows.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.