top of page

New reconnaissance tool ReconShark used by North Korean state-sponsored Kimsuky threat actor

Kimsuky, a state-sponsored threat actor from North Korea, has been discovered using a new reconnaissance tool called ReconShark. This latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferation to activate the infection sequence. Kimsuky is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. "ReconShark is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said. "Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target," the researchers said. "This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users." These messages contain links to booby-trapped Microsoft Word documents hosted on OneDrive to deploy ReconShark, which chiefly functions as a recon tool to execute instructions sent from an actor-controlled server. It's also an evolution of the threat actor's BabyShark malware toolset.


bottom of page