Suspected Data Breach Exposes Kimsuky Hacker Group’s Operations

• A June 2024 breach exposes the inner workings of the Kimsuky hacking group.
• Leaked data details phishing tools, malware, and government reconnaissance materials.

A suspected data breach in June 6, 2025 exposed the operations and tools of Kimsuky, a North Korean-aligned advanced persistent threat (APT) group. On August 13, 2025, PANews reported that hackers had compromised two systems belonging to a Kimsuky operator identified as "KIM," citing information from SlowMist CISO 23pds. The affected systems included a Linux workstation running Deepin 20.9 for malware development and a public-facing virtual private server (VPS) used for spear-phishing campaigns.

A hacking duo, "Saber" and "cyb0rg," claimed responsibility for the breach. Describing their actions as ethically motivated, the duo criticized Kimsuky for its political and financial motives and published approximately 3 gigabytes of leaked data on the "Distributed Denial of Secrets" platform. This dataset provides a revealing view of Kimsuky’s infrastructure, including its phishing frameworks, espionage tools, and operational details.

The exposed files highlighted Kimsuky's phishing techniques and tools. For instance, phishing logs revealed email accounts linked to South Korea's National Intelligence Service, the Korea Defense and Security Research Institute, the Ministry of Unification, and major domains like spo.go.kr, korea.kr, daum.net, and naver.com. The dataset also contained PHP generator kits for creating phishing websites and live phishing kits that actively targeted victims.

Furthermore, the breach disclosed malware demonstrating Kimsuky’s offensive capabilities. The leak included customized Cobalt Strike beacons, TomCat kernel backdoors, and Android malware like FastViewer. In addition, the exposed materials included Kimsuky’s specialized tools, such as its proprietary Cobalt Strike loaders, Onnara proxy modules, and reverse shells.

Operational data from the breach revealed Kimsuky's reconnaissance and command-and-control methods. Browser histories, campaign logs, and Bash history files showed SSH connections to internal systems. The browser history also showed visits to Taiwanese government and military websites and interactions with VPN services purchased through cryptocurrency. Additionally, the files contained a compressed archive with the source code for South Korea’s Ministry of Foreign Affairs email platform.

While evidence strongly links the operator "KIM" to Kimsuky’s known operations, the data also presented signs of potential ties to Chinese origins. Consequently, these linguistic and technical indicators raise questions about the operator's precise affiliation, adding complexity to attribution efforts.

This breach has significant implications for cybersecurity and international relations, as exposing Kimsuky’s tools and infrastructure may disrupt its ongoing operations and help security researchers counteract its methods. The leaked data offers valuable intelligence on the group’s tactics, techniques, and targeting priorities, particularly highlighting Kimsuky's focus on South Korean government and military entities.