A North Korean state-sponsored threat actor known as Kimsky (also known as Velvet Chorima) is believed to have been responsible for a new round of cyberattacks targeting South Korean military and businesses from March to April 2026.
“Kimsuky employed a variety of customized social engineering tactics, including spoofing security software installation pages and creating fake Webex meeting pages utilizing legitimate meeting schedules,” ENKI said in an analysis released this week.
The attack was found to deliver a variant of a known malware family called HTTPSpy by posing as a Korean security software installer. This is a tactic that threat actors have consistently employed since 2023.
The most recent campaign, observed in March 2026, saw the attacker propagating a malicious payload through a fake web page that posed as a security software installation page for a South Korean B2B messaging service. Given the nature of the decoy, it is suspected that this activity may have been specifically designed to identify messaging administrators within a corporate environment.
The page claims to offer two security tools: a firewall and a keyboard security program. When an unsuspecting user initiates the download, it downloads one of two executable files disguised as nProtect Online Security and AhnLab Safe Transaction (ASTx): ‘nos-setup.exe’ and ‘astx-setup.exe’. Despite the different names, the malicious behavior embedded in them is the same.
The main role of the binary is to launch the second stage DLL payload (‘MemLoader.dll’) via ‘regsvr32.exe’. A batch script is then run to remove the binary itself from disk. The DLL uses a scheduled task to establish persistence on the host and connects to a command and control (C2) server to retrieve an as-yet-unknown payload.
“The attackers likely monitored repeated GET requests from the malware and selectively delivered payloads to specific victims,” ENKI said.
In another campaign observed in April 2026, a fake web page mimicking Cisco Webex was allegedly used to display a pop-up message urging victims to download and run a script to address camera access issues. When you run this, you will get a ZIP archive containing an encrypted JavaScript (JSE) file (‘fix-camera.jse’).
When the JSE file is executed, it deploys an intermediate PowerShell downloader (‘mTSTCv8.mdxm’), which then performs anti-analysis checks and connects to the C2 server to retrieve the next stage of the malware (‘engine.dat’ or ‘spyInster.dll’). In the final stage, the DLL drops a loader component (‘cacheMon.dat’) and runs HTTPSpy on the compromised system.
HTTPSpy is a full-featured remote access Trojan that supports a wide range of functionality, including executing shell commands, uploading/downloading files, executing processes, capturing screenshots, injecting DLL paths into specified PID processes, and erasing itself from endpoints.
This is not the first time Kimsuky has introduced HTTPSpy. CrowdStrike said in its 2025 European Threat Landscape Report that the hacker group likely targeted employees of the German defense manufacturer through a credential phishing campaign deploying malware between May 2024 and at least September 2024. The first use of HTTPSpy dates back to 2022.
At the same time, the malware also drops and opens an HTML file named “meeting.html” and immediately redirects the victim to a Webex meeting room. Accessing the URL opens a genuine Webex meeting room associated with an actual scheduled event that took place at approximately the same time.
“This indicates that the attacker may have compromised a service member’s device or account to obtain the meeting schedule and then created a fake meeting page to distribute malware to other attendees,” the cybersecurity firm said.
ENKI said it also discovered an additional fake web page that queries a local server set up by the malware on the victim’s machine via JSONP (JSON with padding) to check the execution status of the malware and display an installation prompt if the malware is not running. This technology is code-named JSONPing. However, the exact nature of the downloaded malware remains unknown as the URL is currently inactive.
“Kimsuky went beyond simple malware distribution and introduced sophisticated mechanisms to maximize delivery success, including real-time infection verification using JSONPing and creating fake pages using stolen meeting schedules,” ENKI said.
Kimsuky evolves with HelloDoor and HttpMalice
The disclosure comes as Kaspersky detailed its use of Microsoft Visual Studio Code (VS Code) tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLM), and the Rust programming language in its latest campaign, highlighting its continued adaptation and evolution.
“Specifically, Kimsuky leveraged legitimate VS Code tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities,” the Russian cybersecurity firm said. “These activities affected various sectors in South Korea, affecting both public and private organizations.”
The attack chain was found to rely on various droppers written in JSE, PIF, SCR, and EXE to deliver two broad malware families: PebbleDash and AppleSeed. While PebbleDash attacks have also been recorded against defense organizations in Brazil and Germany, the AppleSeed cluster primarily targets government agencies.
Some of the major malware families delivered by droppers are:
HelloDoor is a Rust-based PebbleDash variant first identified in August 2025 and appears to have been developed using LLM. It supports basic functionality to set the current directory, sleep at specific time intervals, and run commands. The latest backdoor variant of PebbleDash, HttpMalice, appeared no later than December 2025. HttpMalice has the ability to gather information about compromised systems, configure persistence, perform reconnaissance using native Windows commands, capture screenshots, load downloaded payloads into memory, execute commands, and extract execution output. HttpTroy, a backdoor delivered through a loader named MemLoad, can be used to upload/download files, capture screenshots, execute commands, load executables in memory, reverse shell, terminate processes, and remove traces. AppleSeed comes in two variations: Dropper and Spy. The dropper is responsible for downloading additional malware and executing commands received from the C2 server. The Spy version collects sensitive information such as documents, screenshots, keystrokes, and a list of USB drives. This also includes collecting data from the C:\GPKI directory, mirroring similar functionality implemented in Troll Stealer. HappyDoor is an advanced version of AppleSeed that first appeared in 2021.
Another notable change in tactics involves exploiting legitimate VS Code remote tunneling functionality to establish covert remote access to victim devices, thereby eliminating the need for traditional malware-based C2 channels. This approach is also highlighted by Darktrace and Logpresso.
“Our analysis shows that the attackers retain access to the malware cluster’s original source code and the ability to modify it,” said Kaspersky researcher Sojun Ryu. “The two clusters have overlapping target sectors spanning defense, military, government, medical, mechanical, and energy industries.”
“AppleSeed clusters have shifted their focus to data exfiltration, with GPKI certificate extraction becoming a signature feature, while PebbleDash clusters have demonstrated advanced remote control capabilities and a growing set of targets.”
Source link
