For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.

The foundations for this activity began in August 2018, when we observed Black Banshee setting up a substantial number of domains impersonating organisations across the government, academia, and policy sectors. This formed the basis for multiple spear-phishing and credential harvesting campaigns.

In tracking Black Banshee, we have identified a number of highly characteristic elements of the threat actor’s tools, techniques, and procedures (TTPs). In the two parts of this retrospective look at Black Banshee’s 2019 activity, we will: