Data Dump From APT Actor Yields Clues to Attacker Capabilities - Dark Reading

Threat IntelligenceCyber RiskCyberattacks & Data BreachesNewsCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Data Dump From APT Actor Yields Clues to Attacker CapabilitiesThe tranche of information includes data on recent campaigns, attack tools, compromised credentials, and command files used by a threat actor believed to be acting on behalf of China or North Korea.Robert Lemos,Contributing WriterAugust 8, 20255 Min ReadSource: Zbitnev via ShutterstockIn what may be the biggest breach of a cyberthreat actor since last year's leak of documents from Chinese firm iSoon, a pair of hackers with unknown motives compromised and stole data from a nation-state operator who appears to work for China and, possibly, North Korea.In an analysis published in the latest issue of Phrack magazine handed out at the DEF CON conference in Las Vegas, the hackers — identified only as Saber and cyb0rg — claimed to have stolen data from both a virtual workstation and virtual private server (VPS) used by the advanced persistent threat (APT) operator. The authors dubbed the APT actor "KIM," arguing that the evidence points to the operator being part of the North Korean-sponsored group Kimsuky. The article, part of the magazine's 40th anniversary edition, is accompanied by two data dumps online. Links to additional download sites will be published on Phrack's site next week, the editors said.Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026The first data dump consists of logs from attacks targeting the South Korean government and Defense Counterintelligence Command for the VPS used in those campaigns, while a second includes attack tools, internal documentation, and credentials from the workstation. Links to additional download sites will be published on Phrack's site next week, the editors said."Some of these tools may already be known to the community: You have seen their scans and found their server side artifacts and implants," Saber and cyb0rg wrote in Phrack. "Now you shall also see their clients, documentation, passwords, source code, and command files."Dark Reading confirmed the likely authenticity of the files with multiple threat intelligence and cybersecurity experts.The files and data will likely expand threat researchers' understanding of China's cyber operations and espionage capabilities, adding to details uncovered by a significant leak from Chinese firm iSoon in February 2024. More than 500 documents were released in that leak, revealing that the cybersecurity training firm had used its capabilities to hack pro-democracy organizations in Hong Kong, government agencies in Vietnam, and members of ethnic minorities, such as the Uyghurs.This latest release will likely improve threat intelligence firms' understanding of nation-state actors' capabilities, says Fyodor Yarochkin, a principal security researcher at cybersecurity firm Trend Micro, who reviewed the downloads."This data disclosure is very important from the point of understanding state-aligned threat actor operations," he says. "They add additional bits to the puzzle of China cyber operations and shed some light on the depth of their operations — such as the number of targets a single actor has compromised — their day-to-day ops, and scope of their interest."Related:Cybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsAttack Data, Tools RevealedThe hackers behind the analysis claimed they had compromised a virtual Linux workstation hosted on Windows, including nearly 20,000 entries in the actor's Chrome and Brave browser histories; a manual of how to operate a backdoor, passwords, and email addresses; and credentials for different tools. They also claimed to have files from the threat operator's VPS, including attack data and logs from various phishing campaigns, such as the ones on South Korea's Defense Counterintelligence Command and the Supreme Prosecutor Office. Among the files Phrack published online are the TomCat remote kernel backdoor, a private Cobalt Strike beacon, and an Ivanti Control backdoor dubbed RootRot. The files also include the group’s Android Toybox modifications and use of exploits like Bushfire. The analysis of data stolen from an APT actor's workstation and server mocks North Korea, but the actor is more likely to be Chinese, researchers say. Source: Phrack #72The tranche of data reveals the threat actors' tactics, techniques, and procedures (TTPs), uncovers the command-and-control (C2) infrastructure, and sheds light on their targeting, says Charles Li, chief analyst of TeamT5, a Taiwan based cyber threat intelligence (CTI) company, who reviewed screenshots of some of the compromised files.Related:Why a 17-Year-Old Built an AI Model to Expose Deepfake MapsUsing the data, security firms could improve their ability to detect attacks from APT groups, he says."This is an impressive work," Li says. "As a CTI researcher, we would like to do more to pivot and find more information about the hacker, including the link to their historical operations or even who they are or which organization they belong to."Kimsuky or Not?The files in the data dump, however, do not fully support the conclusion that the actor is part of the Kimsuky APT group. Some clues support the claim, such as the fact that the phishing kit included in the stolen files is the same as the one used by Kimsuky, says Trend Micro's Yarochkin. The operator's infrastructure used a domain name that is just one letter different from one that used by Kimsuky in the past. Also, another domain, which pointed to an IP address, was attributed to the Kimsuky group in 2022.Other clues, however, suggest that the threat actor is not North Korean, such as the fact that the operator appears to speak Chinese and not Korean. The operator's browsing history, bookmarks, and list of visited websites suggest a Chinese actor, Yarochkin says. In addition, the threat actor possesses a number of tools — such as the Ivanti exploit backdoor client code — widely used by Chinese APT groups, such as UNC5221."The threat actor is likely Chinese, works on China-state aligned targets — Taiwan, Japan, South Korea — but is aware of Kimsuky and either possibly collaborates with them or tries to mimic their behavior to confuse threat hunters," Yarochkin says.Based on years of experience tracking both Chinese and North Korean threat actors, TeamT5 also does not believe the compromised operator is a member of the Kimsuky group and concurs that the actor is most likely a Chinese national working on goals that align with North Korea's. The files suggesting the actor's reconnaissance activities against Taiwanese targets and visits to Chinese hacking forums supports the idea that the actor is not Kimsuky, TeamT5's Li says."We consider the revealed dumps to be from a Chinese attacker, not from DPRK," he says. "We never see them collaborating, and the current political situation doesn't provide opportunity for them to collaborate as well."About the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEdge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsCyber RiskBrowser Extensions Pose Heightened, but Manageable, Security RisksBrowser Extensions Pose Heightened, but Manageable, Security RisksLatest Articles in The EdgeThreat IntelligenceInside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026Mar 16, 2026Threat IntelligenceThe Data Gap: Why Nonprofit Cyber Incidents Go UnderreportedMar 13, 2026|2 Min ReadCyber RiskCyberattackers Don't Care About Good CausesMar 13, 2026Cyber RiskWhat Orgs Can Learn From Olympics, World Cup IR PlansMar 12, 2026Read More The EdgeWant more Dark Reading stories in your Google search results?