Phrack magazine is a legendary publication launched in November 1985 by the hacking community featuring technical writeups and tales of hacker lore. On Aug. 8, 2025, at the DEF CON hacking convention, Phrack released a hardcopy version of its 72nd issue that marked the publication’s 40th anniversary. The physical and online release included a lengthy examination of an extensive leak of malware, credentials, hacking tools and configurations in an article titled “APT Down - The North Korea Files.”
A screenshot of Phrack edition #72, which features an examination of an advanced persistent threat’s (APT’s) workstation.
The authors of the article, identified as Saber and cyb0rg, reportedly gained unauthorized access to a threat actor’s virtual workstation and virtual private server (VPS). They alleged the workstation likely belongs to someone affiliated with the nation-state group Kimsuky, also referred to as Emerald Sleet. While it is unknown when the authors gained initial access to KIM’s infrastructure, they exfiltrated about 9 GB of information on or about June 10, 2025. Links to the data were posted publicly on a Tor site, on a Proton drive account and on Distributed Denial of Secrets aka DDoSecrets, a nonprofit organization that publishes hacked leaks and documents. In this post, we will review indicators in the data leak for evidence of the actor’s affiliation with nation-state groups and provide a view on attribution. This blog is an excerpt from a longer Intelligence Bulletin that includes indicators of compromise (IoCs) from Intel 471’s Cyber Geopolitical Risk service. For more information and this complete bulletin, please contact us.
The stolen data is a comprehensive cache, including nearly 20,000 entries in Chrome and Brave browser histories, a manual on how to operate one of KIM’s backdoors and login credentials for various tools. Other files include:
The authors wrote that they informed South Korean victims before the article was released in order for them to rotate their credentials. They further wrote: “We have not informed KIM: The credentials to his VPS and domain registrar are still valid (as of this morning). Good luck.”
The authors differentiated their hacking from that of a suspected APT group in the Phrack article, including a mocking illustration of North Korean leader Kim Jong Un.
The authors refer to the group as KIM, which they contend is affiliated with Emerald Sleet aka Kimsuky — a cyber espionage group that primarily targets Japan and South Korea and is known for sophisticated spear-phishing campaigns with a high rate of compromise.
The authors claim their “ethical” motivation behind the attack was KIM “hacking for all the wrong reasons,” being “driven by financial greed” and desiring to “fulfill [Pyongyang’s] political agenda.” This hacktivist-style statement illustrates the strong motivations and bias on the part of Saber and cyb0rg. However, the data leak contains several clues that would arguably point to a Chinese actor or group being responsible rather than Kimsuky. Muddling this picture is the close relationship between China and North Korea and the geographical stationing of North Korean threat actors within China.
The Phrack article claimed KIM works “strict office hours” and always connects around 9 a.m. and disconnects by 5 p.m. Pyongyang time (GMT+9). However, there are several variables that could contest this indicator as solid evidence for attribution to a North Korean state-sponsored threat group. For instance, North Korea’s time zone is only one hour ahead of China’s, so these working hours still are realistic for a Chinese threat actor.
Additionally, attackers affiliated with Chinese APT groups operate as typical employees that keep regular hours, while North Korean state-linked cyber threat groups are known to work extremely long hours to meet state-defined quotas. The Diamond Sleet aka Lazarus Group reportedly worked nearly 24 hours a day to convert US $1.5 billion in digital tokens into usable currency for North Korea’s military development, the BBC reported. The state-linked information technology (IT) worker scheme also has employees working more than 10 hours a day and often overnight.
The actor KIM also appears to observe Chinese public holidays, including the Dragon Boat Festival in late May or early June. These same days are not public holidays observed in North Korea, meaning KIM should have been online if the actor is North Korean and follows typical working hours. We should caution that it is important to be circumspect when drawing conclusions from working hours, as threat actor working patterns could be intentionally aligned to create a different impression.
The actor seemingly is a native Chinese speaker with only a rudimentary command of the Korean language. This is evidenced by KIM’s use of Google Translate to translate websites, error messages and documents to Simplified Chinese. Most of the actor’s web searches also were in Simplified Chinese.
Because it was KIM’s virtual workstation and VPS that were compromised, rather than attribution via information revealed during an attack against another entity, the actor likely was not attempting to confuse investigators by masquerading as another perpetrator. Additionally, KIM frequently used the Chinese search engine Baidu. About 96% of the service’s users are based in China.
The article stated KIM attacked the same targets previously impacted in attacks attributed to Kimsuky, including the South Korean Ministry of Unification (MOU). It also was uncovered that the actor used cracked passwords from South Korea’s Government Public Key Infrastructure (GPKI) — an electronic signature framework for government personnel — and conducted brute-force attacks against the ministry’s domain. Thousands of GPKI files were found on KIM’s workstation, with a custom Java program designed to crack the passwords protecting these certificates.
The MOU was established in March 1969 and has been dedicated to helping settle North Korea defectors, managing contact between North and South Korea and planning policies and strategy around reunification. The ministry has reportedly been targeted by North Korean hackers repeatedly. North Korea would have a high interest in understanding South Korea’s contingencies for reunification, particularly if the possibility arose following a military conflict. Likewise, China has a significant interest in inter-Korean affairs.
U.S. military personnel have been stationed in South Korea as part of a United Nations (U.N.) Command in place since the Korean War was halted by an armistice agreement in July 1953. To this day, a peace treaty has not been secured. The two Koreas remain separated by a heavily secured and mined Demilitarized Zone, which lies just 30 miles north of Seoul, South Korea’s capital. As a deterrent to aggression, South Korea hosts about 28,500 U.S. military personnel while North Korea has developed nuclear weapons and long-range missiles. If the Koreas were to draw closer to reunification, China would be concerned whether U.S. troops would remain in a unified Korea, again making this ministry of interest to its cyber spies.
The Joint Security Area (JSA) in Panmunjom at the border between North and South Korea. The official border, the Military Demarcation Line, bisects three blue U.N. conference buildings. (Photo: Henrik Ishihara Globaljuggler via Wikipedia CC BY-SA 3.0)
The actor KIM also conducted reconnaissance activities against Taiwanese entities. Several education, government and military websites appeared in leaked Chrome browser history. One of the websites the actor frequented was accessibility-moda-gov-tw, which is associated with Taiwan’s Ministry of Digital Affairs and provides information and resources related to web and digital accessibility. The actor also used Google Translate to translate the website from Taiwanese to Simplified Chinese.
From a geopolitical perspective, North Korea has limited direct strategic interest in Taiwan except vis-a-vis China. There have been limited, unofficial and largely insignificant exchanges between North Korea and Taiwan in the past few decades. From an economic perspective, Taiwan ended nearly all economic and trade relations with North Korea since September 2017. It mostly has remained committed to following U.N. sanctions on the totalitarian regime, despite Taiwan not being a member of the international organization. Based on North Korea’s geopolitical maneuvers and our observations of the regime’s state-backed cyber activity in the past 12 months, it likely would not be interested in targeting Taiwan. This increases the credibility of the hypothesis KIM is a threat actor with a China rather than North Korea nexus.
The authors alleged based on some of the leaked data that KIM may be linked to a hacking campaign documented by AhnLab in November 2023. AhnLab followed the campaign for 17 months, which involved phishing emails and malware distribution directed at journalists, researchers and other people involved in North Korea politics, diplomacy and security. AhnLab determined it was executed by Kimsuky aka Emerald Sleet and called the campaign Operation Covert Stalker.
The web server configuration for a domain associated with Operation Covert Stalker was found on KIM’s system, leading Saber and cyb0rg to believe KIM was involved in the operation. However, APT groups are known to resurrect or repurpose historical IoCs, including artifacts such as domains. Threat actors may choose to reuse inactive IoCs for fresh campaigns, for example, when these domains become available for re-registration. In these cases, it is possible previously compromised machines still harbor the associated malware and attempt to communicate with the reactivated domain. This enables attackers to exploit existing infrastructure and compromised machines to gain control, establish command-and-control (C2) or distribute additional malware. However, in the instance of KIM, it is unknown if the actor is linked to Operation Covert Stalker directly, attempting to reuse Emerald Sleet artifacts or is part of the APT group.
Also found on the workstation was an exploit for CVE-2025-0282, which is a stack-based buffer overflow in Ivant’s Connect Secure VPN product. The flaw allows a remote unauthenticated attacker to achieve remote code execution (RCE). Ivanti disclosed this flaw in January 2025. The exploit also contained code for installing a backdoor if the exploitation was successful, allowing a threat actor to maintain persistence if the system was patched. The backdoor supports several commands such as uploading files; leaking memory contents; and directly running shell commands, Python code and Perl code, and it includes antiforensics measures such as blocking syslog and scrubbing local logs to reduce evidence.
Cybersecurity researchers at Mandiant identified zero-day exploitation of the flaw in the wild beginning in mid-December 2024 and since have attributed the activity to the Chinese espionage group UNC5221. The authors Saber and cyb0rg wrote the exploit as discovered in the data leak (exp1_admin.py) “uses the same iptable commands that Mandiant discovered in the wild.” They also noted the documentation that came with the exploit said “contact us if the exploit fails,” indicating a degree of code sharing. It could mean that two groups collaborate ad hoc or one group provides hacking tools to another, perhaps for a fee or in exchange for reciprocal help.
The leaked files from KIM’s systems do not unequivocally point to the actor being Chinese or North Korean. We observed the actor clearly is a native Chinese speaker, as evidenced by KIM’s browsing habits and use of Google Translate. There are roughly even odds the actor is based in China but aligns to North Korea-based parties' working hours or is working on systems set to North Korea’s time zone.
We can extrapolate that KIM almost certainly serves state interests. The actor could be an independent contractor serving both China and North Korea. However, the likelihood these interests are Chinese rather than North Korean is slightly higher. The actor likely is in contact with other threat actors that have a China nexus, which would explain how KIM was able to obtain UNC5221’s exploit, among other things. It is more probable KIM's operations also happened to align with North Korea’s strategic goals, such as gaining valuable insider information from East Asian militaries and governments. It also can be concluded that the actor likely has a moderate level of interaction with Emerald Sleet, either by way of an informal exchange of information or as a contractor.
The overlapping elements of KIM’s activity can be explained further by reviewing the cyber relationship between China and North Korea. North Korean universities such as Kim Il Sung University and Kim Chaek University of Technology have leveraged relationships with their Chinese counterparts to advance the country’s offensive cyber capabilities. Several northeastern Chinese cities are major hubs where North Korean hackers operate in proximity to the North Korean border. Office 414 — one of three offices within Lab 110, the “key cyber unit” under the regime’s Reconnaissance General Bureau (RGB) — is believed to be located in Shenyang, China. This multilayer collaboration could explain the presence of both Chinese and North Korean indicators in multiple recent cyber incidents. Between the two countries, China is superior in terms of offensive cyber capabilities and resources, so North Korean APT actors and groups likely have attempted to copy Chinese threat groups’ operational cadence — more to maximize efficiency than masquerade their activity.
Within the geopolitical context, North Korea eagerly has leaned toward China for years to counter harsh global sanctions. In response, Beijing supports the regime’s growth through discreet technological exchanges and trade while taking care to at least maintain a facade of being in observance of international norms. Therefore, it is probable there is some degree of knowledge sharing between Chinese and North Korean state-affiliated cyber actors, even though actual joint collaboration on a campaign or cyberattack is unheard of and will remain highly unlikely.
European law enforcement officials say a secret U.S. FBI task force called Group 78 used covert tactics to disrupt the Black Basta ransomware group, but it has caused tension. Intel 471 analyzes the delicate dynamics.
Check fraud in the U.S. is booming. Fraudsters steal checks and sell them on underground channels where they are purchased, modified and deposited in hopes of a payment. Here's a briefing on this multi-layered crime.
Initial access brokers (IABs) sell access to compromised organizations on underground forums. Here's an analysis looking at whether these offers can be correlated to ransomware attacks.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.