Blog • Campaigns

Tracking the Trackers: Lessons from the APT43/Kimsuky Takedown

Siddhant
APTSecurityAnalyticsSecurityOperations

Introduction

This technical analysis is derived from the groundbreaking “APT Down — The North Korea Files” published in Phrack Magazine Issue 72. Our security team gained unprecedented access to the actual infrastructure, logs, and code of Kimsuky/APT43, a North Korean state-sponsored threat actor, following a major takedown operation. This rare opportunity to analyze real attacker infrastructure has provided invaluable insights into their operations.

In today’s sophisticated threat landscape, attackers are increasingly using tracking pixels as part of their phishing campaigns to validate email addresses, track victim behavior, and enhance targeting. These invisible 1×1 pixel images can reveal when an email is opened, what device was used, and even approximate location data – all without the user’s knowledge or consent.

This blog post explores practical detection strategies for security teams based on our analysis of real-world attacks, including those attributed to Kimsuky/APT43, a North Korean threat actor known for their targeted phishing campaigns against government entities and critical infrastructure. Our findings come directly from examining their actual Apache logs, PHP code, and operational infrastructure used between January and May 2025.

What Are Tracking Pixels?

Tracking pixels are tiny, often invisible images embedded in emails that load from a server when the email is opened. While they have legitimate uses in marketing, they’re increasingly weaponized by threat actors as part of sophisticated phishing campaigns.

A typical malicious tracking pixel might look like this in the HTML:

<img src=”https://tracking-domain.com/pixel.gif?i=ZW1haWxAZXhhbXBsZS5jb20=&#8221; width=”1″ height=”1″ alt=”” style=”display:none;”>

The encoded parameter often contains the target’s email address or a unique identifier, allowing attackers to confirm that:

  1. The email address is valid and actively monitored
  2. The recipient opened the email
  3. When and how many times the email was opened
  4. What device and email client was used

Legitimate vs. Malicious Tracking Pixels

While the technical implementation of tracking pixels is similar across both legitimate marketing and malicious campaigns, there are key differences that can help security teams distinguish between them:

Legitimate Marketing Tracking Pixels:

  • Domain Reputation: Established marketing platforms (HubSpot, Mailchimp, Outlook, etc.) use well-known, long-established domains
  • Infrastructure: Use enterprise-grade CDNs with proper security certificates
  • Transparency: Often disclosed in privacy policies or email footers
  • Opt-out Options: Provide unsubscribe links and honor opt-out requests
  • Consistent Naming: Use standardized, consistent file naming conventions
  • Parameter Encoding: Typically use simple encoding or hashing for user IDs
  • Legal Compliance: Adhere to regulations like GDPR, CAN-SPAM Act

Kimsuky/APT43 Malicious Tracking Pixels:

  • Domain Age: Use newly registered domains (often <30 days old)
  • Infrastructure: Custom PHP scripts (request.php) with minimal server hardening
  • Deception: Deliberately hidden with no disclosure
  • No Opt-out: No legitimate business relationship or opt-out mechanism
  • Inconsistent Naming: Varied or randomized file names across campaigns
  • Parameter Encoding: Base64-encoded email addresses (directly reversible)
  • Operational Patterns: Domains and IPs linked to other malicious activities

From our analysis of Kimsuky’s infrastructure, we observed they specifically used base64-encoded email addresses in their tracking URLs, allowing them to decode the exact target address when a pixel loaded. This differs from legitimate services that typically use hashed identifiers that can’t be reversed to reveal the actual email address.

Detection Strategy #1: Image Request Pattern Analysis

One of the most effective ways to detect tracking pixels is by analyzing image request patterns in your web proxy or gateway logs.

What to Look For

  • Tiny image requests (1×1 pixels)
  • Images with random or encoded filenames
  • Images with query parameters containing base64-encoded data
  • Common tracking pixel filenames like dot.png, pixel.gif, clear.gif, spacer.gif, beacon.gif

Differentiating Legitimate vs. Malicious Patterns

URL Structurehttps://track.hubspot.com/__t.gif?tid=12345&rid=abcdhttps://[new-domain]/request.php?i=base64email&dot.pngRequest FrequencySingle request per email openMultiple requests to validate targetReferrer HeadersOften includes marketing platform infoEmpty or spoofed to hide originAssociated RequestsLinked to legitimate marketing domainsConnected to command & control infrastructureTarget ScopeBroad distribution listHighly targeted government employees

Implementation Approach

  1. Create a baseline of normal image request patterns in your environment
  2. Look for image requests with long query strings (>20 characters)
  3. Identify patterns of image requests that occur immediately after email opens
  4. Monitor for image requests to domains different from the email sender domain

Real-World Example

2023-10-15T08:45:12Z GET https://tracking-domain.com/request.php?i=ZW1haWxAZXhhbXBsZS5jb20=&c=campaign123&dot.png HTTP/1.1 200 43 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

In this log entry, we can see several red flags:

  • The URL contains a base64-encoded parameter (i=ZW1haWxAZXhhbXBsZS5jb20=)
  • The response size is tiny (43 bytes)
  • The filename (dot.png) is a common tracking pixel name

Detection Strategy #2: Email Header Analysis

Analyzing email headers and content before delivery can help identify tracking pixels before they’re even loaded.

What to Look For

  • HTML emails with embedded <img> tags with 1×1 dimensions
  • Base64-encoded parameters in image URLs
  • CSS background images with minimal dimensions
  • HTML elements with display:none containing tracking elements
  • JavaScript that dynamically creates image elements

Implementation Approach

  1. Extract and analyze HTML content from emails
  2. Look for patterns in image tag attributes (width=”1″ height=”1″)
  3. Identify emails with multiple tracking techniques (image, CSS, JavaScript)
  4. Monitor for emails containing encoded parameters in URLs

Common Patterns

<!– Standard image tracking pixel –>

<img src=”https://tracking-domain.com/pixel.gif?i=base64encodeddata&#8221; width=”1″ height=”1″ alt=”” style=”display:none;”>

<!– CSS-based tracking pixel –>

<div style=”background-image:url(‘https://tracking-domain.com/pixel.gif?i=base64encodeddata&#8217;);width:1px;height:1px;”></div>

<!– Resource hint-based tracking –>

<link rel=”prefetch” href=”https://tracking-domain.com/pixel.gif?i=base64encodeddata”&gt;

Detection Strategy #3: User-Agent String Analysis

Email client user-agents can be a valuable indicator of tracking pixel activity.

What to Look For

  • Email client user-agents making web requests
  • Inconsistent user-agent strings across requests
  • User-agents revealing email preview functionality
  • Mobile email client user-agents

Implementation Approach

  1. Baseline normal user-agent patterns in your environment
  2. Identify email client user-agents (Outlook, Apple Mail, etc.)
  3. Look for user-agent strings that indicate email previews
  4. Monitor for inconsistent user-agent strings from the same client

Common Email Client User-Agent Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51 Microsoft Outlook/16.0.14026.10000

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)

Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

Practical Implementation: Email Security Controls

To effectively protect against tracking pixels, implement these email security controls:

Content Disarm and Reconstruction (CDR)

  • Strip embedded tracking elements from emails
  • Convert HTML emails to plain text for high-risk users
  • Rewrite embedded URLs to pass through security scanning

Remote Image Blocking

  • Configure email clients to block automatic image loading
  • Implement proxy-based image loading
  • Add warning banners for external emails

Example Configuration (Microsoft 365)

# PowerShell command to block automatic image downloads

Set-RemoteDomain -Identity Default -AutoForwardEnabled $false -AutoReplyEnabled $false -DeliveryReportEnabled $false -NDREnabled $false

Conclusion

Tracking pixels represent a subtle but significant threat in the modern email security landscape. By implementing the detection strategies outlined in this post, security teams can significantly improve their ability to detect and respond to tracking pixel-based threats before they lead to more serious compromises.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy