Kimsuky Deploys New PebbleDash Malware Variants in Global Espionage Campaign
North Korean APT group Kimsuky has expanded its arsenal with new PebbleDash-based malware variants and adopted legitimate tools like VSCode Tunneling and Cloudflare Quick Tunnels to target defense and government sectors in South Korea, Brazil, and Germany.
The North Korean advanced persistent threat group known as Kimsuky (APT43, Ruby Sleet, Black Banshee) has significantly updated its malware toolkit, deploying new variants of the PebbleDash platform alongside established AppleSeed malware in a series of ongoing espionage campaigns. According to a detailed report from Kaspersky's Securelist, the group has introduced four new PebbleDash-based malware families — HelloDoor, httpMalice, MemLoad, and httpTroy — while also continuing to use AppleSeed and HappyDoor. These attacks have primarily targeted public and private sector organizations in South Korea, with additional PebbleDash infections observed in the defense industries of Brazil and Germany.
Kimsuky achieves initial access through meticulously crafted spear-phishing emails that deliver malicious attachments disguised as legitimate documents. The droppers come in various formats including JSE, PIF, SCR, and EXE, often masquerading as product quotations, job offers, government forms, or personal photos. Once executed, these droppers deploy either PebbleDash or AppleSeed malware, which are considered the most technically advanced tools in the group's arsenal. The malware families have been under continuous development since at least 2019 and occasionally use stolen legitimate certificates from South Korean organizations to evade detection.
A notable tactical shift in Kimsuky's recent operations is the adoption of legitimate remote access and tunneling tools for post-exploitation activities. The group now leverages Visual Studio Code (VSCode) Tunneling with GitHub authentication to establish persistent access to compromised systems. They also employ Cloudflare Quick Tunnels and the open-source DWAgent remote monitoring and management tool. This use of legitimate services helps blend malicious activity with normal network traffic, making detection more difficult for defenders.
For command-and-control infrastructure, Kimsuky primarily relies on domains registered through a free South Korean hosting provider. The group also occasionally compromises South Korean websites to host C2 servers and uses tunneling services like Ngrok or VSCode tunnels to obscure their infrastructure. This reliance on local hosting and stolen certificates demonstrates the group's deep understanding of South Korean digital infrastructure and its ability to operate within trusted environments.
The PebbleDash cluster has shown a particular focus on the medical, military, and defense sectors globally. Over the past several years, Kimsuky has compromised defense organizations in Brazil and South Korea, as well as a German defense firm. In contrast, the AppleSeed cluster more frequently targets government organizations. In 2024, South Korean authorities issued a security advisory specifically about AppleSeed after discovering it was distributed by replacing a legitimate security software installer required to access a construction company's website.
Kimsuky has been active for over a decade, first identified by Kaspersky in 2013. While historically considered less technically proficient than other Korean-speaking APT groups like Lazarus, the group has demonstrated consistent evolution in its capabilities. The adoption of Rust programming language for some malware components and the integration of large language models (LLMs) into their operations represent significant advancements. The group's arsenal now includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT.
The ongoing development of PebbleDash and AppleSeed variants, combined with the adoption of legitimate tunneling tools and the expansion of targeting beyond South Korea, indicates that Kimsuky remains a persistent and adaptive threat. Organizations in the defense, government, and medical sectors, particularly those with ties to South Korea, should remain vigilant against spear-phishing campaigns and monitor for unusual use of legitimate remote access tools that could indicate post-exploitation activity.