Kimsuky's Research Trap: LinkedIn Personas and BabyShark RAT

Threat Intelligence

North Korea's Kimsuky group builds elaborate academic and journalist personas on LinkedIn to target nuclear researchers, policy analysts, and UN sanctions monitors, delivering BabyShark RAT via weaponized documents.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 21, 2024 · 9 min read

Kimsuky, tracked by Microsoft as Emerald Sleet and attributed to North Korea's Reconnaissance General Bureau (RGB), has operated since at least 2012 with a singular intelligence focus: collecting information that supports North Korea's nuclear weapons program, sanctions evasion strategies, and political intelligence on South Korea and the United States. Unlike most APT groups that favor technical exploitation for initial access, Kimsuky leads with social engineering of exceptional quality, building long-term trusted relationships before deploying any malware.

The LinkedIn Persona Operation

A joint advisory from the FBI, NSA, and South Korean intelligence agencies (NIS) published in 2023 detailed how Kimsuky operators construct convincing research personas on LinkedIn, often impersonating journalists from reputable outlets, academics at recognizable universities, or policy fellows at think tanks. These personas maintain months of authentic-looking activity before initiating contact with targets: nuclear scientists, UN Panel of Experts members, and policy researchers focused on Korean Peninsula security.

• Personas typically have 500+ LinkedIn connections established over 3-6 months before approaching high-value targets
• Profile photographs use AI-generated faces or stolen images from low-visibility social media accounts in third countries
• Initial outreach proposes collaboration on whitepapers, podcast interviews, or academic conferences, exploiting researchers' professional incentives
• Spearphishing emails follow LinkedIn contact, delivering weaponized documents appearing to be draft papers or interview questionnaires

BabyShark RAT: Technical Profile

BabyShark is a VBScript-based remote access trojan that establishes persistence via scheduled tasks and communicates with C2 infrastructure using HTTP. It is typically delivered as a macro-enabled Office document or a malicious HTA file attached to spearphishing emails. Despite its relatively simple architecture, BabyShark has proven durable because Kimsuky continuously modifies it to evade signature detection.

1. Initial stage: macro-enabled Word or Excel document drops a VBScript file to %APPDATA% and creates a scheduled task for persistence
2. Reconnaissance stage: BabyShark enumerates running processes, network adapters, installed software, and recently accessed files, reporting to C2 via HTTP POST
3. Secondary payload delivery: based on reconnaissance results, operators deliver targeted secondary tools including PowerShell-based keyloggers and credential stealers
4. Exfiltration: data staged to local archive files before exfiltration via HTTP to infrastructure registered through privacy-protecting registrars

Kimsuky targets researchers because researchers are structurally incentivized to respond to peer outreach. A cold LinkedIn message from an apparent academic proposing collaboration is not a red flag in that professional context: it is routine. This social context is the exploit.

UN Sanctions Evasion Intelligence Collection

A consistent Kimsuky targeting priority is UN Panel of Experts members and government officials responsible for implementing DPRK sanctions. Compromising these individuals allows RGB to understand which sanctions circumvention techniques have been detected, which financial institutions are under scrutiny, and which front companies have been identified. This is tactical counter-intelligence that directly enables the continued operation of North Korea's illicit finance networks.

MITRE ATT&CK Mapping

• T1566.001: Spearphishing Attachment delivering BabyShark via macro-enabled Office documents
• T1585.001: Establish Accounts (Social Media) for LinkedIn persona construction
• T1053.005: Scheduled Task/Job for BabyShark persistence
• T1518: Software Discovery during BabyShark reconnaissance phase
• T1041: Exfiltration Over C2 Channel using HTTP POST to attacker-controlled domains

Detection and Organizational Defense

Kimsuky's social engineering sophistication means that technical controls alone are insufficient. The human layer is the attack surface. Organizations with research staff working on sensitive topics related to North Korea, nuclear policy, or UN sanctions compliance must treat their personnel as high-value targets requiring tailored security awareness programs.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.