{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kimsuky/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Kimsuky","Black Banshee","Velvet Chollima","Emerald Sleet","Thallium"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kimsuky","dropbox","api","command-and-control","exfiltration"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eKimsuky, a North Korean APT group, has been observed utilizing malware that leverages the Dropbox API for command and control (C2). This allows the malware to blend in with legitimate network traffic, making detection more challenging. The malware uses the Dropbox API to upload stolen data and download commands from the attackers. This method provides a covert channel for exfiltration and control, bypassing traditional network-based security measures. The group has been known to target South Korean entities, but the scope of targeting may extend beyond this region. This technique has been observed starting in early 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unconfirmed vector, such as spear phishing or watering hole attacks, delivering an initial downloader.\u003c/li\u003e\n\u003cli\u003eThe downloader executes and establishes persistence, potentially by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware initializes the Dropbox API, authenticating with stolen or embedded API keys.\u003c/li\u003e\n\u003cli\u003eThe malware enumerates files on the compromised system, targeting documents, credentials, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eStolen data is compressed and encrypted before being uploaded to a designated Dropbox folder controlled by the attacker, using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eThe malware periodically checks the attacker\u0026rsquo;s Dropbox folder for new commands, also using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eDownloaded commands are decrypted and executed on the compromised system, enabling actions such as remote code execution or further data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe cycle of data exfiltration and command execution continues, allowing the attacker to maintain persistent access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to significant data breaches, intellectual property theft, and espionage. Kimsuky\u0026rsquo;s targeting of South Korean entities suggests a focus on political and strategic intelligence gathering. The use of Dropbox as a C2 channel allows the attackers to remain undetected for extended periods, maximizing the impact of the compromise. The number of victims is currently unknown, but the potential for widespread compromise is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual API calls to Dropbox, especially from unknown or suspicious processes (see: \u0026ldquo;Detect Suspicious Dropbox API Usage\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for Dropbox API usage within the organization.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any suspicious processes attempting to access Dropbox API endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:00:00Z","date_published":"2026-03-19T12:00:00Z","id":"/briefs/2026-03-kimsuky-dropbox-api/","summary":"Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.","title":"Kimsuky Malware Using Dropbox API for Command and Control","url":"https://feed.craftedsignal.io/briefs/2026-03-kimsuky-dropbox-api/"}],"language":"en","title":"CraftedSignal Threat Feed — Kimsuky","version":"https://jsonfeed.org/version/1.1"}