Two hackers using the handles Saber and cyb0rg claim to have breached North Korea’s Kimsuky espionage unit and leaked 8.9 GB of internal data, unveiling rare details on tools, targets, and stolen material tied to the state-backed group.
The cache surfaced around DEF CON 33 via Phrack magazine’s 72nd issue and is now mirrored by DDoSecrets, marking an unusually public exposure of a nation-state actor’s operational footprint.
Who leaked it and why
According to the leakers’ manifesto published with Phrack 72, the operation targeted a Kimsuky operator referred to as “KIM,” compromising a Linux workstation and a VPS used in spear-phishing, with the pair framing their action as an ethical stand against state-directed hacking.
Their statement condemned Kimsuky as serving regime goals over the craft of hacking, a message echoed in coverage noting the highly unusual decision to debut the leak at a major conference rather than in underground forums.
Did you know?
Kimsuky, also tracked as APT43 or Emerald Sleet, has long used spear-phishing with academic and policy lures to gather geopolitical intelligence, often spoofing think tank and media identities.
What’s inside the 8.9GB dump
The archive includes phishing logs against South Korea’s Defense Counterintelligence Command and widespread targeting across spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com.
Investigators also flagged a compressed archive containing the full source code for South Korea’s Ministry of Foreign Affairs “Kebi” email platform (webmail, admin, archive), as well as live phishing kits and a PHP “Generator” for stealthy credential theft pages.
Tooling, traces, and infrastructure
Artifacts indicate Cobalt Strike loaders, reverse shells, proxy modules, and unknown binaries, plus browser histories tying to suspicious GitHub accounts and VPN purchases via Google Pay. Bash logs show SSH to internal systems, enriching TTP and infrastructure mapping.
Some elements were previously documented, but the interlinking context “burns” infrastructure by exposing connections between tools and campaigns, enabling broader detections and takedowns.
ALSO READ | Your private calls aren’t safe: AI radar can read them nearby
How big is this for defenders?
The dataset offers a rare view of a state APT’s workflow, from source code theft to phishing orchestration, giving blue teams indicators and behavioral clues likely to disrupt active operations in the near term.
Early assessments caution that authenticity and full scope are still being validated, but immediate triage on named domains, kits, and loaders can raise defensive posture swiftly.
Operational habits and OPSEC clues
Patterns include regular workday connectivity aligning with Pyongyang business hours, traces of Chinese-language error handling, and visits to Taiwanese government and military sites, complicating attribution nuances while enriching threat profiling.
The leaked materials reveal meticulous project organization and modular tools, suggesting a mature pipeline for credential theft, lateral movement, and staging across hosted infrastructure.
Impact and what comes next
While experts doubt a permanent setback for Kimsuky, the exposure likely forces a rebuild of parts of its infrastructure, phishing kits, and operational playbooks, buying defenders time to deploy detections and blocks.
Expect quick changes in domains, malware loaders, and delivery systems as the group adjusts, with more community analysis of the information helping to improve detection methods, YARA rules, and threat intelligence sharing in the coming weeks.
Comments (0)
Please sign in to leave a comment