North Korean APT group Kimsuky is adopting new TTP, by splitting it into two smaller subgroups: CloudDragon and KimDragon. It often employs social engineering, spear-phishing, and watering hole attacks to collect information from targets primarily located in South Korea, Japan, and the US. Both attack government agencies and educational targets such as universities and research centers.

CloudDragon relies on malware including TroiBomb, RoastMe, JamBog (AppleSeed), BabyShark, and DongMulRAT (WildCommand). KimDragon uses malware variants: Lovexxx (GoldDragon variant), JinhoSpy (NavRAT variant), BoboStealer (FlowerPower), and MireScript.

CloudDragon had a broader geographical footprint, branching out to attack Japan and several European Union countries, while KimDragon had only expanded to India. CloudDragon also had a broader scope of industry targets, which included financial institutions, energy companies, high-tech businesses, and aerospace and defense industries.

CloudDragon launched a supply chain attack against a firm in the Korean cryptocurrency industry. Attackers went after a hardware wallet surface, which typically specializes in security but needs software to assist with blockchain on the Internet. Attackers created a malicious version of its management software and deployed it to the official website targetting windows users

CloudDragon also targets mobile devices. The group deployed a malicious app to Google Play; if a victim launches the app and has auto-update enabled, the malware will be downloaded without notice and upload the user’s data to C2C server belonging to the attackers

The researchers also observed CloudDragon adopting new phishing technique in which attackers automatically fill in phishing websites with content from the legitimate website they are trying to mimic. When a victim opens a malicious link, the phishing site simultaneously sends a request to the real website, fetches the content, modifies it so it’s malicious, and shows the result on the phishing site.