"Kimsuky has continuously introduced new malware variants based on the PebbleDash platform," the report states — and the group’s tooling now reaches beyond bespoke backdoors into legitimate developer and remote-management services.
Initial access: spear-phishing, messengers, and diverse droppers
The campaign described in the report begins with carefully crafted spear-phishing and occasional messenger contact that deliver malicious attachments disguised as routine documents — product quotations, job offers, government forms and the like. The actor uses a wide range of droppers (.JSE, .EXE, .PIF, .SCR) that embed both benign lure files and one or more malicious payload blobs. Example lures include filenames such as a PIPA enforcement-form .hwp.jse detected August 28, 2025, and an H1 2026 graduate-program document .hwpx.jse detected December 14, 2025. Droppers decode embedded Base64 blobs, write files under locations such as C:\ProgramData or %temp%, and execute payloads via certutil, regsvr32, or rundll32.
PebbleDash evolution: HelloDoor and httpMalice in detail
The report documents multiple PebbleDash-based families. HelloDoor, a Rust-based DLL backdoor first identified in August 2025, shows the group experimenting with new languages and tunneling services: HelloDoor uses Cloudflare’s TryCloudflare temporary tunnels and registers itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a regsvr32 autorun. It binds to local port 5555 when elevated, 5554 otherwise, and contacts a C2 at hxxp://female-disorder-beta-metropolitan.trycloudflare[.]com/index.php using a PebbleDash-style query format and RC4 decryption.
httpMalice — the latest HTTP-based PebbleDash backdoor — appeared no later than December 2025. Two tracked variants include a Dropbox-based 1.8 and an HTTP/HTTPS 1.9 that implements persistent access via a Windows service named CacheDB when running elevated, or via HKCU Run autostart when not. httpMalice profiles hosts (including volume serial and privilege level), encrypts results with ChaCha20, and supports modes for profiling, command retrieval, screenshot capture and directory exfiltration. The malware intentionally runs commands under the EUC-KR code page (chcp 949), signaling a focus on Korean-targeted environments.
Loader and payload chain: MemLoad fetching httpTroy
MemLoad acts as an intermediary loader: it performs anti-VM and reconnaissance checks, creates a random-file-based ID (A- vs U- prefix depending on ability to write to C:\Windows\system32), persists via scheduled tasks (ChromeCheck or EdgeCheck), and requests an additional payload authenticated by headers such as Authorization: Bearer {{ID}}. The downloaded payload — decrypted with an RC4 key hard-coded in MemLoad — is reflectively loaded and identified as httpTroy, the longer-term backdoor used for sustained access and data exfiltration. The report notes that httpTroy communicates with hxxps://file.bigcloud.n-e[.]kr/index.php.
Abusing legitimate services: VSCode Remote Tunnels and DWAgent
Rather than rely solely on traditional malware C2 channels, the actor also uses legitimate remote-access services to persist and move laterally. The group’s JSE droppers install the Visual Studio Code CLI and automate the Remote Tunneling flow (using the tunnel name “bizeugene”), leveraging GitHub authentication in non-interactive contexts. The dropper captures the printed tunneling URL (hxxps://vscode[.]dev/tunnel/…) and posts it to a compromised South Korean website (hxxps://www.yespp.co[.]kr/common/include/code/out.php), enabling the attacker to access the host through a browser with their own GitHub account.
Kimsuky also deployed DWAgent — a pre-packaged remote administration agent — by installing a configured agent as a service (dwagsvc.exe) and embedding a config.json that points to legitimate DWAgent relay servers (for example node896147.dwservice[.]net) with a predefined key. The report describes at least two delivery patterns: DWAgent pushed from an httpMalice-infected host and a standalone installer that decrypts and extracts a bundled DWAgent package before activating the agent under the attacker’s account.
Infrastructure, victims, and attribution
The actor relies heavily on a free South Korean domain-hosting service (내도메인[.]한국) to create subdomains such as .p-e.kr, .o-r.kr, .n-e.kr and others for C2 hosting; many of these resolve to virtual private servers under InterServer. The report lists specific C2 domains tied to different families — for example opedromos1.r-e[.]kr and morames.r-e[.]kr for AppleSeed, several .o-r[.]kr hosts for MemLoad, and file.bigcloud.n-e[.]kr for httpTroy. Victim artifacts recovered from a Dropbox C2 included folders with user.txt entries noting compromises and the presence of “http” backdoors and DWService instances, primarily in South Korea and, for PebbleDash, in Brazil and Germany. Based on shared delivery methods, stolen certificate reuse, and mutex patterns, the report assesses with medium-high confidence that the PebbleDash and AppleSeed clusters are controlled by the same Kimsuky-linked actor.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams should monitor for non-traditional tunneling channels — VSCode Remote Tunnels and Cloudflare quick tunnels — and for signs of DWAgent registered with attacker-supplied configs; the report highlights concrete C2 domains and file hashes that defenders can add to detection telemetry.
- Policymakers and CERTs in South Korea will want to note the actor’s repeated use of free domestic domain services and compromised local sites as C2, since those choices complicate network-based IoC approaches and tie the campaign to national-sector targets.
- Procurement and IT leaders in defense, government and medical sectors should be aware that the PebbleDash cluster is focused on defense-sector targets worldwide while AppleSeed shows particular interest in government entities and in extracting GPKI certificate material.
Kimsuky’s campaign blends old-school social engineering with an expanding portfolio: Rust experiments, AI-crafted code comments, tunneling through commercial developer services, and turnkey remote-agent installs. The record in this report is concrete — file hashes, C2 domains, persistence mechanisms and delivery patterns — and it points to an actor adapting tools and tactics to keep access covert and durable.




