Kimsuky Hacked: Hackers Leak 8.9GB of Stolen Data and Tools from North Korean Group
The North Korean cyber-espionage group Kimsuky has unexpectedly found itself in the role of victim after two hackers — identifying themselves as the “antithesis of Kimsuky’s values” — infiltrated its infrastructure and released stolen materials into the public domain. Operating under the aliases Saber and cyb0rg, the attackers claim their actions were motivated by ethics, accusing Kimsuky of “hacking not for the art, but for political objectives and the enrichment of its leadership,” acting under the direction of the regime rather than as independent researchers. Their statement to Kimsuky appeared in the latest, 72nd issue of Phrack magazine, distributed at DEF CON 33, with an online edition promised in the coming days.
The primary outcome of this breach is the publication of part of Kimsuky’s “backend” on the Distributed Denial of Secrets (DDoSecrets) platform. The 8.9 GB archive exposes both the group’s tools and stolen data, allowing disparate incidents to be linked into a coherent narrative and effectively “burning” segments of its infrastructure and tradecraft. Among the contents are phishing logs involving numerous email accounts under the domain dcc.mil.kr, belonging to South Korea’s Defense Counterintelligence Command, along with other targeted or incidental domains such as spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com.
Of particular note is a .7z archive containing the complete source code of the South Korean Ministry of Foreign Affairs’ email platform, Kebi, including modules for webmail, administration, and archiving. The trove also features references to civilian certificates and curated lists of university faculty. Another discovery is a PHP-based toolkit dubbed Generator for building phishing websites, designed to evade detection and enable advanced redirection schemes, accompanied by fully operational phishing kits ready for deployment.
There is also a collection of binaries with unclear purposes, including archives voS9AyMZ.tar.gz and Black.x64.tar.gz, as well as executables payload.bin, payload_test.bin, and s.x64.bin. According to the leak’s authors, none of these samples were listed on VirusTotal at the time of release. In addition, Cobalt Strike loaders, reverse shells, and Onnara proxy modules were found within VMware drag-and-drop caches — a clue to the working environment and file transfer methods used by the operators.
Browser artefacts are equally revealing: Chrome histories and configurations show interactions with suspicious GitHub accounts (e.g., wwh1004.github.io), VPN purchases (PureVPN and ZoogVPN) via Google Pay, and regular visits to hacking forums such as freebuf.com and xaker.ru. Some entries confirm the use of Google Translate to interpret Chinese error reports, as well as visits to Taiwanese government and military websites. Bash history logs display SSH connections to internal systems, further illustrating the operators’ daily workflows.
While some of these elements have appeared in prior research reports, this new leak is significant for unifying tools, targets, environmental artefacts, and turnkey phishing kits within a single dataset, greatly aiding attribution and the analysis of previously unknown campaigns. BleepingComputer has contacted independent researchers to verify the authenticity and value of the materials, with updates to follow.
Analysts consulted by the outlet suggest the breach is unlikely to radically alter Kimsuky’s long-term trajectory, but in the short term it will almost certainly disrupt active chains, force infrastructure migrations, and derail ongoing operations. Kimsuky — also tracked as Storm-0978 and Tropical Scorpius — is a state-backed North Korean cyber-espionage unit known for exploiting zero-days, including in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).
If the leak is confirmed in its entirety, researchers will gain a rare window into Kimsuky’s internal workings — from the development of phishing toolkits to the operational habits of its operators, preserved in logs and workstation caches.
