**Kimsuky** (aka Velvet Chollima), a North Korean state-sponsored threat actor, has been linked to a new wave of cyberattacks targeting South Korean military and corporate organizations throughout March and April 2026. According to **ENKI**, "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule." ## HTTPSpy Deployment via Fake Installers The attacks involve delivering a variant of the **HTTPSpy** malware family, disguised as installers for South Korean security software. This tactic has been consistently used by the threat actor since 2023. In the March 2026 campaign, malicious payloads were distributed through a bogus webpage impersonating the security software installation page of a South Korean B2B messaging service. This suggests a targeted approach aimed at messaging administrators within corporate environments. The fake page offers two security tools: a firewall and a keyboard security program. Unsuspecting users who initiate the download receive either "nos-setup.exe" or "astx-setup.exe," masquerading as **nProtect Online Security** and **AhnLab Safe Transaction (ASTx)**, respectively. Despite the different names, the malicious behavior remains the same. These binaries launch a second-stage DLL payload ("MemLoader.dll") via "regsvr32.exe," followed by a batch script to delete themselves from the disk. The DLL establishes persistence using a scheduled task and communicates with a command-and-control (C2) server to retrieve an unknown payload. ENKI notes, "The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims." ## Webex Spoofing for Malware Delivery In a separate campaign in April 2026, a counterfeit **Cisco Webex** page was used to display a pop-up message urging users to download and run a script to fix camera access issues. This leads to the retrieval of a ZIP archive containing an encrypted JavaScript (JSE) file ("fix-camera.jse").  The JSE file executes an intermediate downloader ("mTSTCv8.mdxm") using **PowerShell**, which performs anti-analysis checks and contacts a C2 server to fetch the next-stage malware ("engine.dat" or "spyInster.dll"). The final stage involves a DLL dropping a loader component ("cacheMon.dat") that executes **HTTPSpy** on the compromised system. HTTPSpy is a full-featured remote access trojan (RAT) capable of running shell commands, uploading/downloading files, executing processes, capturing screenshots, injecting DLL paths into specific PID processes, and removing itself from the endpoint. **CrowdStrike** reported in its 2025 European Threat Landscape Report that Kimsuky likely targeted employees of a German defense manufacturer via a credential phishing campaign deploying **HTTPSpy** between May 2024 and at least September 2024. The first use of HTTPSpy dates back to 2022. Simultaneously, the malware drops and opens an HTML file named "meeting.html," which redirects the victim to a legitimate Webex meeting room associated with an actual scheduled event that took place around the same time. "This indicates that the attacker likely compromised a service member's device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees," said the cybersecurity company. ENKI also discovered fake webpages that query a local server set up by the malware on the victim's machine via JSONP (JSON with Padding) to verify malware execution status and display an installation prompt if it's not running. This technique is called JSONPing. The exact nature of the downloaded malware is unknown, as the URL is currently inactive. "Kimsuky went beyond simple malware distribution, introducing sophisticated mechanisms to maximize delivery success, including real-time infection verification via JSONPing and crafting a fake page using a stolen meeting schedule," ENKI said. ## Kimsuky's Evolving Arsenal: HelloDoor and HttpMalice **Kaspersky** detailed the threat actor's use of **Microsoft Visual Studio Code (VS Code)** tunneling, **Cloudflare** Quick Tunnels, **DWAgent**, large language models (LLMs), and the **Rust** programming language, highlighting its continued adaptation. Kimsuky leverages legitimate VS Code tunneling mechanisms to establish persistence and distributes the open-source DWAgent remote monitoring and management tool for post-exploitation activities. These activities affected various sectors in South Korea, impacting both public and private entities.  Attack chains rely on droppers written in JSE, PIF, SCR, and EXE to deliver two broad malware families: **PebbleDash** and **AppleSeed**. While PebbleDash attacks have also been recorded against defense organizations in Brazil and Germany, the AppleSeed cluster has mainly targeted government organizations. Key malware families delivered by the droppers include: * **HelloDoor**: A Rust-based PebbleDash variant first identified in August 2025, likely developed using an LLM, supporting basic functionality to set the current directory, sleep for a specific time interval, and run commands. * **HttpMalice**: The latest backdoor variant of PebbleDash, emerged no later than December 2025, capable of gathering system information, setting up persistence, performing reconnaissance using native Windows commands, capturing screenshots, loading payloads into memory, running commands, and exfiltrating the execution output. * **HttpTroy**: A backdoor delivered via a loader named MemLoad, allowing file upload/download, screenshot capture, command execution, in-memory loading of executables, reverse shell, process termination, and trace removal. * **AppleSeed**: Comes in two variants: Dropper and Spy. The Dropper downloads additional malware and executes commands from its C2 server. The Spy version gathers sensitive information like documents, screenshots, keystrokes, and lists of USB drives, including harvesting data from the C:\GPKI directory, similar to **Troll Stealer**.