Friday, May 2, 2025
HomeCyber AttackNorth Korean Kimusky Group Attacking University Professors

North Korean Kimusky Group Attacking University Professors

Published on

SIEM as a Service

Follow Us on Google News

Kimsuky, a North Korean APT group, employs targeted phishing campaigns, leveraging DMARC exploitation to conceal social engineering, infiltrate university networks, and steal research for the Reconnaissance General Bureau. 

It aligns with North Korea’s goal of intelligence acquisition to advance its scientific capabilities, mirroring past actions of stealing nuclear, healthcare, and pharmaceutical research. 

The recent exposure of Kimsuky’s OPSEC failures provides critical insights into their operations and reinforces the ongoing threat posed by this cyber espionage group. 

- Advertisement - Google News

Kimsuky leverages compromised internet hosts, including audko [store], dorray [site], and others, as staging grounds for attacks by deploying a heavily obfuscated webshell dubbed “Green Dinosaur,” derived from Indrajith Mini Shell 2.0, onto these compromised systems.

“Green Dinosaur” webshell

This webshell, stripped of unnecessary functions for evasion, enables remote operators to upload, download, rename, and delete files, facilitating the creation of phishing websites. 

Kimsuky has crafted phishing pages mirroring legitimate university login portals, specifically targeting Dongduk, Korea, and Yonsei universities, which have been modified to capture credentials, bypass standard encryption, and redirect victims to a decoy PDF hosted on Google Drive. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The PDF, disguised as an invitation to the Asan Institute for Policy Studies August Forum, is likely a social engineering tactic to increase victim trust.

Credential theft occurs through a PHP script that logs username, password, and login attempts to a server file.

Screenshot of the j_spring_security_check.php code

It utilizes modified Javascript code to steal login credentials for Korea and Yonsei universities. The attack injects malicious code into legitimate login pages that resemble the real university portals. 

Korea University’s attack alters Javascript to capture user input, while Yonsei University’s attack modifies HTML to achieve the same result. 

Both targets use login.php to receive stolen credentials but ultimately redirect to the genuine login pages to avoid immediate suspicion by leveraging trust in established university portals to trick victims into surrendering their login information.  

Screenshot of the modified Yonsei login page HTML code

Kimsuky employs a generic phishing toolkit to target Naver accounts, which functions as a rudimentary proxy, similar to Evilginx, designed to capture cookies and credentials from unsuspecting victims. 

Once compromised, users are presented with deceptive pop-ups mimicking server communication errors, prompting them to re-enter login details. Upon clicking “OK,” victims are redirected to a fraudulent Naver login page, where their credentials are stolen. 

By leveraging a custom PHPMailer implementation named “SendMail” hosted on GreenDinosaur to distribute phishing emails, the attacker compromised a Seoul National University professor’s email account to access a South Korean SMTP server for Dooray CRM. 

Screenshot of Kimsuky’s malicious popup telling the user to login again due to a server communication error

According to Resilience, these accounts, sharing identical credentials and recovery emails, were exploited to target employees at Dongduk, Korea, and Yonsei Universities, among others. 

Attackers configured a SendMail server to distribute Naver-themed phishing emails using compromised Gmail and Daum accounts.

Malicious emails, such as those claiming Naver account deletion or email restrictions, direct victims to multiple phishing websites.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...