The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Kimsuky GoldDragon C2 Cluster

Sep 19, 2022 2:06:44 PM / by PolySwarm Tech Team

kimsuky_TwitterVerticals Targeted: Think Tanks, Media, Government

Executive Summary

In early 2022, the North Korean threat actor group Kimsuky targeted a South Korean think tank and media entities. In this campaign, they leveraged what is known as the GoldDragon backdoor and associated C2 cluster.

Key Takeaways

  • GoldDragon is a backdoor and associated C2 cluster used by the North Korean threat actor group Kimsuky.
  • Kimsuky used a geopolitical-themed spearphishing campaign to target its victims, with the initial payload calling out to the GoldDragon C2 cluster.
  • GoldDragon uses multiple C2 servers to verify that the intended victim is being targeted before delivering the final payload.
What is GoldDragon?

GoldDragon is a backdoor and associated C2 cluster used by Kimsuky in an early 2022 campaign targeting South Korean think tanks and media entities. The initial infection chain was established by sending a spearphishing email with a malicious macro-embedded Word document. The documents used a geopolitical theme. After the initial infection, the threat actors delivered a Visual Basic Script to the victim machine. This file reported victim machine information to the C2 and retrieved additional payloads. The final stage malware was a Windows executable used to steal file lists, record keystrokes, and harvest web browser login credentials.

Securelist further described the GoldDragon C2 operation as follows:
  • The threat actor uses a spearphishing email to trick the victim into downloading a malicious document.
  • If the victim clicks the link, they are connected to the first stage C2 server, using an email address as a parameter.
  • The first stage, C2, verifies the parameter and delivers the document if the email address matches the expected parameter. A script forwards the victim IP to the next stage server.
  • When the victim opens the malicious document, it connects to the second C2 server.
  • A script on the second C2 server checks the IP address sent from the first stage server to verify it is the same victim. 
  • The threat actors use additional processes to check OS type and user-agent strings prior to delivering the next payload.
Who is Kimsuky?

Kimsuky, also known as Thallium, Black Banshee, Stolen Pencil,  and Velvet Chollima, is a North Korean nexus threat actor group active since at least 2012. Kimsuky is thought to be a state-sponsored threat actor and primarily conducts espionage operations. Kimsuky is known to target politicians, diplomats, journalists, academics, nuclear power operators, and North Korean defectors.

Kimsuky TTPs include but are not limited to an extensive C2 infrastructure, using Blogspot to host content, spearphishing, malicious documents, malicious browser extensions, AppleSeed, BabyShark, Brave Prince, CSPY Downloader, Mimikatz, GoldDragon, and NOKKI. The group regularly updates its toolset.


PolySwarm has multiple samples associated with GoldDragon.
















You can use the following CLI command to search for all GoldDragon-related samples in our portal:

$ polyswarm link list -f GoldDragon

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Espionage, North Korea, Kimsuky, GoldDragon

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts