Hackers going by the handles Saber and cyb0rg published an article in the latest issue of Phrack (the legendary e-zine that has been published since 1985). The anniversary issue marking Phrack’s 40th year was distributed at the DEF CON conference. In the piece, they described compromising a member of the North Korean espionage hacking group Kimsuky (aka APT43 and Thallium).
The authors of the article claim they were able to compromise a workstation with a virtual machine and a VPS belonging to a North Korean hacker they refer to as “Kim.” This allowed them to compromise nearly 20,000 records and the Chrome and Brave browser histories belonging to the attacker, steal operational manuals for malware, passwords and email addresses, as well as credentials for various tools.
The hackers handed over all the stolen data to representatives of the activist group DDoSecrets (Distributed Denial of Secrets), who present themselves as “transparency advocates” and index and store data leaks in the public interest.
Kimsuky is a well-known APT group believed to be linked to the North Korean government. It most often targets journalists, activists, and government agencies in South Korea and other countries, as well as other targets that may be of interest to the DPRK’s intelligence apparatus. Like many other North Korean hacking groups, Kimsuky also conducts other operations, namely stealing and laundering cryptocurrency.
The hackers claim that compromising a member of the group is a virtually unprecedented opportunity to see Kimsuky’s operations from the inside.
“This shows how openly Kimsuky collaborates with Chinese [government hackers] and shares its tools and techniques,” the authors write.
It is worth noting that what Saber and cyb0rg did is technically a crime, although they are unlikely to ever be prosecuted for this breach. At the same time, the hackers themselves believe that members of Kimsuky deserve to be exposed and shamed.
“Kimsuky, you are not hackers. You are driven by greed, by a desire to enrich your leaders and advance their political agenda. You steal from others and give to your own. You put yourselves above others. You are morally corrupt,” the article in Phrack says. “You engage in hacking for all the wrong reasons.”
In the publication, Saber and cyb0rg claim that in the compromised systems they found evidence of the Kimsuky group breaching several South Korean government networks and companies, as well as email addresses and hacking tools used by the group, internal manuals, passwords, and other data.
“Some of these tools are probably already familiar to the community: you’ve seen their scans and detected artifacts and implants on the server side,” write Saber and cyb0rg. “Now you’ll also see the client side, documentation, passwords, source code, and command files.”
The authors of the article said they were able to identify “Kim” as a North Korean hacker based on various “artifacts and clues,” including file configurations and domains that had previously been linked to Kimsuky operations.
As Trend Micro specialists who analyzed the leak have already noted, this will likely help cybersecurity companies better understand the capabilities and goals of “government” hackers.
“The disclosed information is very important for understanding the activities of government-linked threat actors. It adds new pieces to the puzzle of Chinese cyber operations and sheds light on the depth of the attackers’ operations, as well as their day-to-day activities and areas of interest,” the experts say.
However, Trend Micro noted that the evidence suggests the hacked hacker is not necessarily linked to North Korea. For example, he apparently speaks Chinese rather than Korean. His browser history, bookmarks, and the list of websites he visited also point more toward ties with China.
Additionally, the attacker had a number of tools (for example, client-side exploit code for the Ivanti backdoor) that are widely used by Chinese APT groups, such as UNC5221.
“The attacker is likely linked to China and operates against relevant targets—Taiwan, Japan, and South Korea. However, they are aware of Kimsuky and may be collaborating with them, or trying to imitate their behavior to confuse defenders,” the experts suggest.
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →