GPKI Certificates, Rootkits, and Cobalt Strike Assets Uncovered

A comprehensive operational dump from the North Korean Kimsuky APT organization, also known as APT43, Thallium, or Velvet Chollima, appeared on a dark web forum in an uncommon instance of state-sponsored cyber espionage.

This leak, comprising virtual machine images, VPS dumps, phishing kits, rootkits, and over 20,000 browser history records, provides an unparalleled glimpse into the group’s infrastructure and tactics.

Active since 2012, Kimsuky has targeted entities in South Korea, the U.S., Japan, and Europe for intelligence gathering, employing custom malware alongside tools like Cobalt Strike.

The leaked data, captured around June 10, 2025, from operator “KIM’s” Deepin Linux 20.9 VM and a vps.bz-hosted server, exposes not just isolated campaigns but the full operational backbone, including credential caches, malware development, and persistence mechanisms.

For cybersecurity researchers, this represents a critical intelligence windfall, enabling detailed analysis of how Kimsuky maintains access across sectors like government, defense, telecommunications, and academia.

Phishing Infrastructure Revealed

The dump disclosed a suite of sophisticated implants, including the Tomcat Kernel Rootkit, a Linux LKM backdoor featuring TCP knocking, SSL reverse shells, and root-level persistence.

Accompanying it was a customized Cobalt Strike Beacon with tailored C2 profiles, operating over HTTP on port 8172, spoofing IE9 user agents, and integrating with a Linux kernel module (hkcap.c) for enhanced stealth.

Researchers also uncovered the Ivanti “RootRot” implant, a persistent backdoor surviving patches, alongside the Bushfire Exploit Kit exploiting 2025 Ivanti CVEs (CVE-2025-0282, CVE-2025-0283, CVE-2025-22457), showing code overlaps with Chinese APT UNC5221 and suggesting inter-state tool-sharing.

The SpawnChimera backdoor, embedded in infrastructure tied to South Korean newspaper The Hankyoreh (hani.co.kr), utilized TLS Client Hello packets with CRC32 checksums for covert C2, evading detection by blending into HTTPS traffic.

Phishing operations were industrialized via generator.php scripts spoofing domains like dcc.mil.kr (South Korean Defense Counterintelligence Command) and mofa.go.kr (Foreign Ministry), with config.php blacklisting IPs from Google and Trend Micro to thwart automated scanning.

Logs revealed active campaigns against high-value targets, including the Supreme Prosecutor’s Office (spo.go.kr), korea.kr, Daum, Kakao, and Naver, just days before the dump.

A compressed archive of the Foreign Ministry’s email system source code, exfiltrated around April 2025, included hardcoded authentication endpoints, potentially enabling backdoor implantation or perfect phishing lures.

Broader Implications

Among the most alarming finds were thousands of stolen South Korean GPKI certificates and keys, brute-forced via a custom Java tool, allowing impersonation of officials for document signing and secure portal access.

Credential hoarding was rampant, with recycled patterns like “1qaz2wsx” across VPS and email accounts, highlighting operational weaknesses.

Browser extensions for user-agent spoofing, proxy management, and cookie manipulation underscored tradecraft, while a custom backdoor manual (ko图文编译.doc) warned against misuse in Chinese.

Operator habits painted a human picture: routine 09:00-17:00 Pyongyang-time logins, Google Translate usage for Korean-to-Chinese conversions, and searches on chacha20/arc4 cryptography.

These OPSEC failures, from weak XOR encryption in exploits to credential reuse, expose vulnerabilities in DPRK’s cyber apparatus.

Strategically, the leak underscores credential-centric persistence, cross-border collaborations, and factory-like phishing, offering defenders actionable insights into emerging threats like mobile espionage tools (ToyBox fork) and Ivanti exploitation waves.

This exposure could disrupt Kimsuky’s campaigns, emphasizing the need for enhanced monitoring of state actors’ human elements.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!