North Korean threat actor Kimsuky has evolved its attack techniques, deploying sophisticated malware including HTTPSpy, HelloDoor, and leveraging legitimate tools like VS Code for persistence in attacks on South Korean military and corporate targets.
Kimsuky, the North Korean state-sponsored threat actor also known as Velvet Chollima, has significantly expanded its cyber arsenal with new malware variants and advanced techniques, according to recent security research. The group continues to target South Korean military and corporate entities with increasingly sophisticated attacks that blend social engineering with novel delivery mechanisms.
HTTPSpy: A Proven Tool with New Applications
ENKI researchers have identified Kimsuky's continued use of HTTPSpy, a full-featured remote access trojan (RAT) that has been in the group's toolkit since 2022. In recent campaigns observed between March and April 2026, the threat actor has disguised HTTPSpy as legitimate security software installers from South Korean vendors.
"The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims," explained ENKI security researchers in their analysis.
The attack chain begins with a fake security software installation page offering two tools: a firewall and a keyboard security program. When users download the supposed installers—either "nos-setup.exe" or "ast-setup.exe"—they actually receive malware that launches a second-stage DLL payload via "regsvr32.exe."
"Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule," ENKI noted.
The malware establishes persistence through scheduled tasks and contacts command-and-control servers to retrieve additional payloads. HTTPSpy itself offers comprehensive capabilities including shell command execution, file upload/download, process execution, screenshot capture, and DLL injection.
In a particularly concerning development, Kimsuky has also implemented a verification mechanism called JSONPing that queries a local server to confirm malware execution status before displaying installation prompts, demonstrating the group's focus on maximizing delivery success rates.
Webex Impersonation Campaign
In a separate campaign observed in April 2026, Kimsuky created counterfeit Webex pages that displayed pop-up messages urging victims to download and run scripts to address camera access issues. This led to the deployment of an encrypted JavaScript file that eventually delivered HTTPSpy.
"The attacker likely compromised a service member's device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees," cybersecurity analysts explained. This approach allowed the threat actor to leverage legitimate meeting schedules to increase the credibility of their phishing attempts.
HelloDoor and HttpMalice: New Malware Families
Kaspersky researchers have identified additional malware families in Kimsuky's expanding arsenal, highlighting the group's continued evolution and adaptation.
HelloDoor represents a Rust-based variant of the PebbleDash malware family, first identified in August 2025. Security researchers believe it may have been developed with assistance from large language models (LLMs) due to its sophisticated design. HelloDoor supports basic functionality including directory management, timed delays, and command execution.
HttpMalice emerged as the latest backdoor variant of PebbleDash, no later than December 2025. This malware offers comprehensive capabilities including system reconnaissance, persistence establishment, screenshot capture, in-memory payload loading, command execution, and data exfiltration.
The PebbleDash cluster, which includes HelloDoor and HttpMalice, has demonstrated advanced remote control capabilities and expanded its target set beyond initial focus areas.
VS Code Tunneling: Legitimate Tools for Malicious Purposes
Perhaps most concerning is Kimsuky's innovative use of legitimate development tools for malicious purposes. The group has leveraged Microsoft Visual Studio Code (VS Code) tunneling mechanisms to establish persistence and maintain access to compromised systems without relying on traditional malware-based command-and-control channels.
"Specifically, Kimsuky leveraged legitimate VS Code tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities," Kaspersky researchers noted.
This approach allows the threat actor to blend in with legitimate network traffic and potentially evade detection by security solutions that focus on identifying malicious communications patterns.
The group has also employed Cloudflare Quick Tunnels and incorporated the Rust programming language into its malware development, indicating a focus on modern, stealthy techniques.
Targeted Sectors and Strategic Focus
Kimsuky's campaigns have affected various sectors in South Korea, including both public and private entities. The threat actor maintains two primary malware clusters with distinct focuses:
The AppleSeed cluster has primarily targeted government organizations and is shifting its focus to data exfiltration. A signature capability of this cluster is the extraction of GPKI certificates, mirroring techniques used by the Troll Stealer malware.
"The AppleSeed cluster is shifting its focus to data exfiltration, and GPKI certificate extraction has become a signature capability," explained Sojun Ryu, a Kaspersky researcher. "Meanwhile, the PebbleDash cluster demonstrates advanced remote control capabilities and an expanding set of targets."
The PebbleDash cluster, which includes HelloDoor and HttpMalice, has also targeted defense organizations in Brazil and Germany, demonstrating the group's global reach.
Implications for Security Professionals
Kimsuky's evolving tactics present significant challenges for security professionals. The group's ability to blend social engineering with sophisticated malware, coupled with its innovative use of legitimate tools, requires a multi-layered defense approach.
Organizations should focus on:
- Implementing robust email filtering and user awareness training to combat social engineering attacks
- Monitoring for unusual use of legitimate development tools like VS Code
- Implementing application control solutions to prevent execution of unauthorized software
- Regularly updating security solutions to detect the latest malware variants
- Conducting thorough endpoint detection and response (EDR) investigations
The continued evolution of Kimsuky's techniques underscores the importance of maintaining strong security postures and staying informed about emerging threats.
As Sojun Ryu noted, "Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it." This adaptability suggests that Kimsuky will continue to refine its techniques and develop new methods to achieve its objectives.
For organizations operating in the sectors targeted by Kimsuky, particularly government, defense, and critical infrastructure providers, these developments highlight the need for enhanced vigilance and proactive security measures.
This article provides insights into the evolving threat landscape and the sophisticated techniques employed by advanced persistent threat actors like Kimsuky. By understanding these tactics, security professionals can better prepare their defenses and protect against similar attacks.
Comments
Please log in or register to join the discussion