A massive leak of internal tooling, backdoors, and intelligence-gathering artifacts attributed to North Korea’s state-sponsored APT group Kimsuky has been published online by presumed insiders.
The 34,000-page dump exposes live phishing infrastructure, kernel-level backdoors, Cobalt Strike payloads, and stolen government certificates.
Key Takeaways
1. Insider leak of Kimsuky’s full phishing toolkit targeting dcc.mil.kr.
2. Discovery of Tomcat kernel LKM backdoor and custom Cobalt Strike beacon.
3. Compromise includes stolen GPKI certificates, MoFA email code, and onnara_sso access to internal South Korean networks.
Kimsuky Hackers Data Breach
According to Saber (“cyborg”) the archive includes the full source for a custom phishing platform used against South Korea’s Defense Counterintelligence Command (dcc.mil.kr). The breach reveals files such as generator[.]php and config[.]php, containing:
An IP blacklist in config.php blocks security vendor scanners (Trend Micro, Google) from detecting the fake site.
Victims entering credentials at the spoofed HTTPS domain are immediately redirected back to a legitimate https://dcc.mil[.]kr URI, triggering a login error and masking the credential theft.
Among the artifacts is a Tomcat Remote Kernel Backdoor (LKM) that detects a secret TCP SEQ + IP ID “knock” to spawn a hidden master.c process:
Once triggered, the module opens an SSL-encrypted channel between attacker and victim. The hardcoded master password “Miu2jACgXeDsxd” remains constant across deployments.
In addition, a Private Cobalt Strike Beacon written in Java was recovered, with configuration parameters:
- BeaconType: HTTP
- Port: 8172
- SleepTime: 60842 ms
- UserAgent: Mozilla/5.0 (compatible; MSIE 9.0…)
The source code directory (.idea/workspace.xml) shows active development as recently as June 2024.
The leak also contains a full dump of the South Korea Ministry of Foreign Affairs email server code (mofa.go.kr[.]7z) and stolen Government Public Key Infrastructure certificates protected by a cracked Java utility (cert.java).
Brute-force logs record repeated password attempts (5697452641) against unification.go.kr and spo.go[.]kr.
Developers planted an SSO tool named onnara_sso with code referencing onnara9.saas.gcloud.go.kr, indicating persistent access to internal government portals.
This unprecedented data dump offers defenders a deep look at Kimsuky’s TTPs: port knocking, in-memory kernel implants, custom C2 frameworks, and abuse of stolen certificates.
Organizations in South Korea and allied nations should immediately audit exposed code patterns, revoke compromised certificates, and deploy network-level detection for anomalous TCP SEQ/IP ID combinations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
