✅ Report Title: Detailed analysis of Phrack's APT Down: The North Korea Files

✅ Report Summary:

S2W Threat Intelligence Center (TALON) obtained and analyzed data released alongside the article APT Down: The North Korea Files published in Phrack Magazine, distributed at DEFCON in August 2025.

- Phrack Magazine: First launched in 1985 in the United States, Phrack is the world’s oldest and most renowned hacking e-zine, widely recognized for its influence in the global hacker and security research communities.

📌 Findings from Leaked File Analysis

Detailed examination of the leaked data revealed extensive information related to cyber operations targeting the Korean government and domestic corporations.

(Government)

- Multiple project source code files related to a webmail solution were discovered, along with configuration files and source code suspected to be used by the Ministry of Foreign Affairs.

- Documents, source code, and certificate files related to the Government Public Key Infrastructure (GPKI) were identified.

- Source code and log records associated with the government cloud-based administrative management system login were confirmed.

- Log files suggesting the distribution of phishing emails targeting government entities were identified.

(Telecom)

- Internal account information and certificates related to domestic telecommunications providers were discovered.

(All)

- Source code containing Anti-Virus IP Blacklist entries within a config.php file was found, including specific IP ranges.

- Phishing tools and campaigns targeting the domains of major domestic companies were confirmed.

📌 Attribution Findings

TALON’s analysis concluded that the actor referred to in the article as 'KIM' is unlikely to be directly associated with the North Korea-linked threat group Kimsuky. TALON has designated this threat actor as UNSI-018 and continues to track its activities.

(Infrastructure Patterns)

- Some overlap was observed between the phishing infrastructure (domains and IPs) used by “KIM” and those previously attributed to Kimsuky. However, the timing and structural composition of the infrastructure were assessed as inconsistent with Kimsuky’s known operations.

- The actor was found to have built phishing infrastructure using Apache configuration files from the publicly available evilgophish open-source project. To date, no evidence indicates that Kimsuky has adopted this toolset.

- The phishing campaigns employed beacon images embedded in emails to track message openings, a technique historically observed in Kimsuky operations.

(GPKI Exfiltration)

- While the Troll Stealer malware, used by Kimsuky, includes GPKI keys among its exfiltration targets, TALON assessed that there is insufficient evidence to conclude the leaked GPKI data was exfiltrated using this malware.

(Environment Analysis) Examination of the leaked dataset suggests the actor operated in a Chinese-language environment.

- The actor made extensive use of Chinese platforms such as Baidu (search engine), CSDN and Freebuf (cybersecurity blogs), AcFun and Bilibili (video streaming platforms) without translation, while relying on Google Translate to convert non-Chinese languages into Simplified Chinese.

- The use of Baidu Cloud was confirmed. This service requires verified identity documents such as a Chinese national ID or passport, suggesting access to an authenticated Chinese account.

- Source code comments and personal documents within the dataset were also authored in Chinese.

🧑‍💻 Author: S2W TALON

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request or with a subscription to the S2W platform.