Summaries

Kimsuky Deploys HTTPSpy — Fake Security Tools, VS Code Tunnels, and JSONPing Tradecraft

Kimsuky expands its arsenal with HTTPSpy via fake security software installers and Webex meeting pages, alongside new tools like HelloDoor and VS Code tunneling for persistent espionage against South Korean targets.

View on Graph

Summary

The North Korean state-sponsored threat actor Kimsuky (Velvet Chollima) has been attributed to a fresh wave of attacks targeting South Korean military and corporate entities in March and April 2026. ENKI and Kaspersky published detailed analyses revealing expanded tradecraft and new tooling.

The attacks deliver HTTPSpy — a full-featured remote access trojan — through two parallel social engineering campaigns. First, fake security software installation pages impersonate South Korean B2B messaging service security tools (nProtect Online Security and AhnLab Safe Transaction). Malicious nos-setup.exe and astx-setup.exe binaries deploy a second-stage DLL (MemLoader.dll) via regsvr32.exe, establish persistence through scheduled tasks, and contact C2 servers for payload retrieval. The attacker appears to selectively deliver payloads based on monitoring of recurring GET requests.

Second, a counterfeit Cisco Webex meeting page displays a pop-up urging victims to run a script to fix camera access. This retrieves an encrypted JavaScript file (fix-camera.jse) that executes anti-analysis checks, contacts a C2 server, and ultimately deploys HTTPSpy. The HTML file also redirects victims to a legitimate Webex meeting — indicating the attacker compromised a service member’s device to obtain a real meeting schedule.

ENKI also documented JSONPing, a novel technique where fake web pages query a local server set up by the malware to verify infection status and display different content depending on whether the malware is running.

Kaspersky’s analysis revealed additional evolution: Kimsuky now uses Microsoft VS Code tunneling for C2 communication and persistence, the open-source DWAgent remote monitoring tool for post-exploitation, and a new Rust-based backdoor called HelloDoor. AppleSeed and PebbleDash malware families continue to be deployed against government and defense targets in South Korea, Brazil, and Germany.

HTTPSpy itself supports shell command execution, file upload/download, process execution, screenshot capture, DLL injection into arbitrary processes, and self-deletion. CrowdStrike previously reported its use against a German defense manufacturer between May and September 2024.

Why It Matters

Kimsuky’s evolving tradecraft — fake security software, stolen meeting schedules, VS Code tunnels, Rust-based tooling — demonstrates a persistent, well-resourced adversary adapting its operations to evade detection. The JSONPing technique for real-time infection verification shows sophisticated attention to operational security. For analysts tracking North Korean cyber operations, these indicators provide critical IOCs for detection and a clear picture of the group’s expanding capability set.

Defender Takeaways

  • Monitor for scheduled tasks launching DLLs via regsvr32.exe with unusual C2 communication patterns.
  • Deploy detection rules for encrypted JSE file execution chains that fetch payloads from C2 servers.
  • Treat VS Code tunnel traffic from non-development systems as a suspicious C2 channel.
  • Validate security software installation pages — attackers impersonating legitimate security tools are a persistent Kimsuky TTP.
  • Monitor fake Webex/meeting platform lures, particularly those referencing real meeting schedules (indicates prior compromise).
  • Include Kimsuky IOCs in threat intel feeds and watchlists for defense, government, and critical infrastructure sectors.

Source

Title: Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels — The Hacker News/ENKI/Kaspersky
URL: https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html