North Korean hacker group exposed in suspected data breach

A large North Korean hacker group has been exposed in an alleged data breach involving two compromised systems, where a Kimsuky APT member suffered a suspected massive leak.

A member of the suspected North Korean hacker group Kimsuky Advanced Persistent Threat (APT) has reportedly suffered a major data breach, resulting in the leak of hundreds of gigabytes of internal files and tools.

North Korean hacker group exposed in suspected data breach

According to Slow Mist security researchers, the leaked Kimsuky hacker data includes browser histories, phishing campaign logs, manuals for custom backdoors, and offensive systems such as the TomCat kernel backdoor, modified Cobalt Strike beacons, Ivanti RootRot, and Android-based malware variants like Toybox.

The reports suspect that the data breach occurred in early June 2025, and traced it back to two compromised systems linked to a Kimsuky operator working under the “KIM” alias. One was a Linux development workstation running Deepin 20.9, while the other was a public-facing VPS. The Linux system likely served as a malware development environment, while the other hosts spear-phishing material, including fake login portals and command-and-control links.

The hackers behind the breach, calling themselves “Saber” and “cyb0rg,” claim they accessed and exfiltrated the contents of both systems before publishing them online. While some indicators tie “KIM” to Kimsuky’s known infrastructure, other linguistic and technical clues suggest a possible Chinese link, so for now KIM’s origins remain unresolved.

Kimsuky has operated since at least 2012

Kimsuky has connections to North Korea’s Reconnaissance General Bureau since it first popped up in 2012. The group has long specialized in cyber-espionage targeting governments, think tanks, defense contractors, and academia.

In early 2025, Kimsuky campaigns like DEEP#DRIVE used multi-stage intrusion chains beginning with compressed ZIP files containing Windows shortcut (LNK) files disguised as documents. When victims open those files, the LNK files launch PowerShell commands that retrieve malicious payloads from services like Dropbox, using decoy documents to appear legitimate and avoid detection.

Kimsuky campaigns from March and April of 2025 introduced jumbled VBScript and PowerShell code embedded in malicious ZIP archives. These scripts assembled commands covertly, deploying malware to harvest keystrokes, capture clipboard data, and steal cryptocurrency wallet keys from browsers, including Chrome, Edge, Firefox, and Naver Whale.

Some operations shifted to using malicious LNK files paired with VBScript that invoked mshta.exe to execute reflective DLL-based malware directly in memory.

Around the same period, Kimsuky began deploying custom RDP Wrapper modules and proxy malware to enable stealthy remote access. Info-stealers like forceCopy were used to harvest credentials from browser configuration files without triggering standard password-access alerts.

The group has also abused popular cloud and code-hosting services. In one spear-phishing campaign in June 2025 targeting South Korea, private GitHub repositories were used to store malware and exfiltrated data. These campaigns delivered payloads such as XenoRAT while using Dropbox as a staging ground for stolen files. This dual use of trusted platforms for both delivery and exfiltration allowed Kimsuky to hide its malicious activity within the legitimate network’s traffic.

If you're reading this, you’re already ahead. Stay there with our newsletter.