Kimsuky Strikes Again – Coordinated Attacks Target Facebook, Email, and Telegram

A recent investigation by Genians Security Center (GSC) has uncovered a highly sophisticated, multi-channel cyber espionage campaign attributed to the North Korea-aligned advanced persistent threat (APT) group known as Kimsuky.

Between March and April 2025, the group leveraged Facebook, email, and Telegram to infiltrate targets primarily within the defense sector, North Korea-related activists, and cryptocurrency exchanges.

The campaign, codenamed ‘AppleSeed,’ is notable for its use of Korea-specific compressed file formats, encoded malicious scripts, and persistent multi-stage infection chains.

Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, has been active since at least 2013, focusing on government entities in South Korea while also targeting organizations in the U.S. and Japan.

The group’s latest operations employ a blend of social engineering and technical subterfuge, distributing the AppleSeed backdoor—a modular malware capable of remote command execution, data exfiltration, and additional payload delivery.

Triple ...