Kimsuky Hacked: Hackers Leak 8.9GB of Stolen Data and Tools from North Korean Group
Do Son 
Recently, the North Korean hacking group Kimsuky suffered a breach resulting in the leak of 8.9 GB of data, stolen from a workstation and a phishing VPS server used by the group. Both systems contained a substantial volume of sensitive information.
The attack was carried out by self-identified white-hat hackers Saber and cyb0rg, who claimed their actions were driven by ethical motives. They condemned Kimsuky for launching cyberattacks for entirely unjustifiable reasons—motivated by greed, arrogance, and moral bankruptcy.
The leaked cache includes parts of Kimsuky’s backend infrastructure, revealing tools, stolen data, and resources used to conduct attacks. This trove may provide insights into previously undocumented operations.
Currently hosted on a distributed “secrets-free” platform, the leaked 8.9 GB dataset contains:
- Phishing logs from multiple Republic of Korea Defense Intelligence Command (DCC) email accounts
- Target information from various South Korean government agencies and companies, including Kakao and Daum.net
- A compressed archive that appears to be the full source code for the South Korean Ministry of Foreign Affairs’ email platform
- Partial records of South Korean citizens’ identification documents and lists of university professors
- A PHP generator toolkit for creating phishing sites capable of evading detection and employing redirection techniques
- A real-time phishing toolkit
- Numerous binary documents and executables not flagged on VirusTotal
- Cobalt Strike loaders, reverse shells, and Onnara proxy modules discovered in VMware cache
- Bash history logs from SSH connections into internal systems
- Segments of Chrome browsing history and suspicious GitHub accounts (e.g.,
wwh1004.github.io) - Records of VPN purchases via Google Play, along with activity on certain hacking forums
These dumps originated from the aforementioned workstation and VPS server. It is believed the VPS will be destroyed following the exposure. Analysis of the data is expected to uncover attack campaigns never before documented.
However, experts note the leak will likely have minimal long-term impact on Kimsuky. The group can swiftly migrate its operations to new servers, rebuild phishing infrastructure, and resume its activities without significant disruption.
Related Posts:
- North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
