Skip to main content
Emerging ThreatsMalware & Ransomware

Kimsuky Expands Malware Arsenal with HTTPSpy, HelloDoor

Laptop screen on cluttered office desk with subtle hint of fake installation page.

"Kimsuky went beyond simple malware distribution, introducing sophisticated mechanisms to maximize delivery success, including real-time infection verification via JSONPing and crafting a fake page using a stolen meeting schedule," ENKI said.

ENKI: spoofed installers and a fake Webex lure (March–April 2026)

ENKI's analysis, published this week, attributes a new series of intrusions through March and April 2026 to the North Korean state‑sponsored actor known as Kimsuky (aka Velvet Chollima). The campaigns used highly tailored social engineering: bogus installation pages that impersonated South Korean security software and a counterfeit Cisco Webex page that played off an actual meeting schedule.

In March 2026, victims were shown a fake installation page for a South Korean B2B messaging service that offered two "security tools" — a firewall and a keyboard security program. Downloads from that page produced executables named "nos-setup.exe" and "astx-setup.exe," which masqueraded as nProtect Online Security and AhnLab Safe Transaction (ASTx). Both binaries performed the same malicious actions: launching a second‑stage DLL ("MemLoader.dll") via "regsvr32.exe," running a batch script to delete the dropper, establishing persistence with a scheduled task, and contacting a command‑and‑control (C2) server to retrieve an unknown payload.

In April 2026, a fake Webex page displayed a pop‑up urging a user to download a script to fix camera access. That action retrieved a ZIP containing an encrypted JavaScript file ("fix-camera.jse"). Execution of that JSE led to an intermediate PowerShell downloader ("mTSTCv8.mdxm"), which ran anti‑analysis checks and fetched a next‑stage payload such as "engine.dat" or "spyInster.dll." The final stage dropped a loader ("cacheMon.dat") that executed HTTPSpy on the endpoint; the chain also opened an HTML file named "meeting.html" that redirected victims to a legitimate Webex meeting room associated with an actual scheduled event.

HTTPSpy: features and reuse across campaigns

ENKI describes HTTPSpy as a full‑featured remote access trojan (RAT) with capabilities to run shell commands, upload and download files, execute processes, capture screenshots, inject DLL paths into processes, and erase itself from the endpoint. ENKI observed the actor selectively delivering payloads by monitoring recurring GET requests from the malware to decide when to provide the next stage.

This is not Kimsuky's first use of HTTPSpy. CrowdStrike reported earlier deployments between May and September 2024 against a German defense manufacturer in its 2025 European Threat Landscape Report, and ENKI notes HTTPSpy's first use dates to 2022. In the April Webex‑style campaign, the attacker likely compromised a service member's device or account to obtain meeting schedules, then used that schedule to craft a convincing fake meeting page for distribution.

Kaspersky: VS Code tunneling, DWAgent, and new PebbleDash/AppleSeed variants

Kaspersky reported parallel findings that expand the toolset Kimsuky is employing. The actor has abused legitimate Microsoft Visual Studio Code (VS Code) Remote Tunneling, Cloudflare Quick Tunnels, and distributed the open‑source DWAgent remote monitoring and management tool to support post‑exploitation activities. Kaspersky said these tactics affected public and private entities in South Korea and impacted multiple sectors.

Kaspersky highlighted that the actor used VS Code tunneling as a persistence mechanism and a covert remote access channel, in some cases eliminating the need for traditional malware‑based C2 channels — a tactic also noted by Darktrace and Logpresso. Kaspersky researcher Sojun Ryu said, "Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it." Ryu added that two clusters shared overlapping targets across defense, military, government, medical, machinery, and energy sectors.

PebbleDash, AppleSeed and newly observed families: HelloDoor, HttpMalice, HttpTroy

  • HelloDoor — a Rust‑based PebbleDash variant first identified in August 2025 and likely developed using an LLM; it supports basic directory setting, sleeps, and command execution.
  • HttpMalice — a PebbleDash backdoor that emerged no later than December 2025; it can gather system information, set persistence, run native reconnaissance, capture screenshots, load payloads into memory, run commands, and exfiltrate output.
  • HttpTroy — a backdoor delivered via a loader named MemLoad; it supports file upload/download, screenshots, command execution, in‑memory execution, reverse shells, process termination, and trace removal.
  • AppleSeed — delivered in Dropper and Spy variants. The Dropper fetches additional malware and executes C2 instructions; the Spy harvests documents, screenshots, keystrokes, USB lists and extracts data from C:\GPKI, mirroring a capability seen in Troll Stealer. "HappyDoor" is an advanced AppleSeed variant that first surfaced in 2021.

What this means for South Korean military and corporate entities, messaging administrators, and security teams

South Korean military and corporate entities: ENKI and Kaspersky both tie recent activity directly to campaigns against South Korean targets in March and April 2026, including public and private organizations. These organizations should expect threat activity that blends credential and schedule compromise with tailored lures mimicking native security tools and collaboration software.

Messaging administrators and meeting participants: The March lure appears designed to single out messaging administrators by imitating a B2B messaging service's security installers, while the Webex lure used a real meeting schedule to reach attendees. Administrators who manage messaging platforms and meeting schedules are therefore a direct operational target in these campaigns.

Security teams and technologists: Defenders must contend with both classic malware delivery (HTTPSpy, AppleSeed, PebbleDash families) and abuse of legitimate services (VS Code tunneling, Cloudflare Quick Tunnels, DWAgent). ENKI's description of JSONPing — local JSONP queries from fake pages to verify malware execution — is an example of a delivery amplification technique defenders will need to track alongside tunneling‑based persistence.

Kimsuky has broadened both tools and tactics: HTTPSpy remains part of the repertoire even as new Rust variants and tunneling techniques arrive. The concrete questions left by these reports are operational: how widely were meeting schedules and accounts compromised to enable the Webex lure, and how effectively can defenders detect actors using legitimate development and tunneling services as covert access channels?

Original reporting