The North Korean state-backed hacking group known as Kimsuky (also called Velvet Chollima) has been linked to a new wave of cyberattacks aimed at South Korean military and corporate organizations during March and April 2026.
“Kimsuky used a variety of carefully crafted social engineering techniques, including faking security software installation pages and creating a counterfeit Webex meeting page that exploited a real meeting schedule,” ENKI explained in a report released this week.
The attacks were found to distribute a variant of a known malware family called HTTPSpy, disguised as installers from South Korean security software — a method the group has regularly used since 2023.
In the most recent campaign spotted in March 2026, the attackers spread malicious files through a fake webpage impersonating the security software installation page of a South Korean B2B messaging platform. Based on the nature of the lure, it’s believed the campaign was likely designed to specifically target messaging administrators within corporate settings.
The page advertises two security tools: a firewall and a keyboard security program. When users download and run the files, they receive one of two executables — “nos-setup.exe” and “astx-setup.exe” — which pretend to be nProtect Online Security and AhnLab Safe Transaction (ASTx). Although the filenames differ, the malicious behavior inside both is the same.
The main job of these binaries is to load a second-stage DLL payload (“MemLoader.dll”) using “regsvr32.exe,” after which a batch script runs to erase the original files from the system. The DLL then sets up persistence on the machine through a scheduled task and reaches out to a command-and-control (C2) server to download a payload that has not yet been identified.
“The attacker likely kept an eye on the recurring GET requests from the malware and selectively sent payloads to specific targets,” ENKI noted.
In a separate campaign seen in April 2026, a fake webpage mimicking Cisco Webex was reportedly used to show a pop-up message prompting the victim to download and run a script to fix camera access issues. Following through leads to the download of a ZIP file containing an encrypted JavaScript (JSE) file (“fix-camera.jse”).
Running the JSE file triggers the deployment of an intermediate downloader (“mTSTCv8.mdxm”) via PowerShell, which then performs anti-analysis checks and contacts a C2 server to retrieve the next-stage malware (“engine.dat” or “spyInster.dll”). In the final phase, the DLL drops a loader component (“cacheMon.dat”) that, in turn, launches HTTPSpy on the compromised system.
HTTPSpy is a fully featured remote access trojan equipped with a broad set of capabilities, including running shell commands, uploading and downloading files, executing processes, capturing screenshots, injecting DLL paths into specific PID processes, and removing itself from the endpoint.
This isn’t the first time Kimsuky has used HTTPSpy. In its 2025 European Threat Landscape Report, CrowdStrike noted that the hacking group likely targeted employees of a German defense manufacturer through a credential phishing campaign that deployed the malware between May 2024 and at least September 2024. The earliest known use of HTTPSpy goes back to 2022.
At the same time, the malware also drops and opens an HTML file called “meeting.html,” which immediately redirects the victim to a Webex meeting room. Visiting the URL opens a legitimate Webex meeting room tied to an actual scheduled event that took place around the same time.
“This suggests that the attacker likely compromised a service member’s device or account to obtain the meeting schedule, then built a fake meeting page to spread malware to the other participants,” the cybersecurity firm explained.
ENKI also uncovered additional fake web pages that communicate with a local server set up by the malware on the victim’s machine via JSONP (JSON with Padding) to check whether the malware is running and display an installation prompt if it isn’t. This technique has been named JSONPing. However, the exact type of malware downloaded remains unknown since the URL is currently inactive.
“Kimsuky went beyond basic malware distribution, introducing sophisticated techniques to maximize success rates, including real-time infection verification through JSONPing and building a fake page using a stolen meeting schedule,” ENKI stated.
Kimsuky Evolves with HelloDoor and HttpMalice
The findings come as Kaspersky outlined the threat actor’s use of Microsoft Visual Studio Code (VS Code) tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language in its latest operations, underscoring the group’s ongoing adaptation and growth.
“Specifically, Kimsuky took advantage of legitimate VS Code tunneling mechanisms to maintain persistence and deployed the open-source DWAgent remote monitoring and management tool for post-exploitation activities,” the Russian cybersecurity firm said. “These activities impacted various sectors in South Korea, affecting both public and private organizations.”
Attack chains were found to rely on a range of droppers written in JSE, PIF, SCR, and EXE formats to deliver two major malware families: PebbleDash and AppleSeed. While PebbleDash attacks have also been observed against defense organizations in Brazil and Germany, the AppleSeed cluster has primarily focused on government organizations.
Some of the key malware families delivered by the droppers include –
- HelloDoor, a Rust-based PebbleDash variant first discovered in August 2025 and likely developed with the help of an LLM. It supports basic functions such as setting the current directory, pausing for a specified time interval, and executing commands.
- HttpMalice, the newest backdoor variant of PebbleDash, which appeared no later than December 2025. It is capable of collecting information about the compromised system, establishing persistence, conducting reconnaissance using native Windows commands, taking screenshots, loading downloaded payloads into memory, executing commands, and exfiltrating the results.
- HttpTroy, a backdoor delivered through a loader called MemLoad, which enables file upload and download, screenshot capture, command execution, in-memory loading of executables, reverse shell access, process termination, and trace removal.
- AppleSeed, available in two variants: Dropper and Spy. The Dropper is responsible for downloading additional malware and running commands received from its C2 server. The Spy version collects sensitive data such as documents, screenshots, keystrokes, and lists of USB drives. It also harvests data from the C:GPKI directory, mirroring a similar capability found in Troll Stealer.
- HappyDoor, an upgraded version of AppleSeed that first appeared in 2021.
Another significant tactical shift involves the misuse of the legitimate VS Code Remote Tunneling feature to establish covert remote access to the victim’s device, removing the need for traditional malware-based C2 channels. This approach has also been documented by Darktrace and Logpresso.
“Our analysis shows that the actor maintains access to the original source code of the malware clusters and the ability to modify it,” said Kaspersky researcher Sojun Ryu. “Two clusters have overlapping target sectors spanning the defense, military, government, medical, machinery, and energy industries.”
“The AppleSeed cluster is shifting its focus toward data exfiltration, and GPKI certificate extraction has become a signature capability. Meanwhile, the PebbleDash cluster demonstrates advanced remote control capabilities and a growing range of targets.”
