Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
North Korean threat actor Kimsuky targeted South Korean military and corporate entities with new malware HTTPSpy and expanded its toolkit with Rust-based HelloDoor and VS Code tunneling.
The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. The campaign, detailed by cybersecurity firms ENKI and Kaspersky, demonstrates the group's continued evolution in social engineering and malware deployment.
"Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule," ENKI said in an analysis published this week. The attacks delivered a variant of the known malware family HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023.
In the March 2026 campaign, the adversary propagated malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service. The page offered two security tools—a firewall and a keyboard security program—but downloading either executable ("nos-setup.exe" or "astx-setup.exe") launched a second-stage DLL payload ("MemLoader.dll") via "regsvr32.exe." The DLL established persistence using a scheduled task and contacted a command-and-control (C2) server to retrieve an unknown payload. "The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims," ENKI noted.
In April 2026, a counterfeit Webex meeting page displayed a pop-up urging victims to download and run a script to fix camera access issues. This led to the deployment of an intermediate downloader using PowerShell, which eventually dropped HTTPSpy—a full-featured remote access trojan capable of running shell commands, uploading/downloading files, executing processes, capturing screenshots, and injecting DLL paths into specified processes. The malware also dropped an HTML file redirecting victims to a legitimate Webex meeting room, indicating the attacker likely compromised a service member's device to obtain the meeting schedule.
ENKI also discovered additional fake web pages that used a technique called JSONPing to query a local server set up by the malware on the victim's machine, verifying malware execution status and displaying an installation prompt if it wasn't running. This real-time infection verification mechanism highlights Kimsuky's sophisticated approach to maximizing delivery success.
Kaspersky's analysis further revealed Kimsuky's use of Microsoft Visual Studio Code (VS Code) tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language in its latest campaigns. The group deployed droppers written in JSE, PIF, SCR, and EXE to deliver two broad malware families: PebbleDash and AppleSeed. Key malware variants include HelloDoor, a Rust-based PebbleDash variant first identified in August 2025 and likely developed using an LLM, and HttpMalice, the latest backdoor variant of PebbleDash that emerged no later than December 2025.
This is not the first time Kimsuky has deployed HTTPSpy. In its 2025 European Threat Landscape Report, CrowdStrike said the hacking group likely targeted a German defense manufacturer's employees via a credential phishing campaign deploying the malware between May 2024 and at least September 2024. The first use of HTTPSpy dates back to 2022. The ongoing evolution of Kimsuky's arsenal—from social engineering to advanced tunneling and AI-assisted development—underscores the persistent threat posed by North Korean cyber espionage operations against South Korean and international targets.