Kimsuky Uses HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

The North Korean government-sponsored threat actor known as Kimsuky (aka Velvet Chollima) was responsible for a new set of cyber attacks targeting the South Korean military and business organizations in March and April 2026.

“Kimsuky used many tactics designed for social engineering, such as obfuscating security software installation pages and creating a fake Webex meeting page that used the official meeting system,” ENKI said in an analysis published this week.

The attack was found to deliver a variant of a known family of malware called HTTPSpy by disguising it as South Korean security software installers, a tactic the threat actor has been using since 2023.

In a recent campaign observed in March 2026, an adversary was found to be distributing malicious payloads through a fake web page posing as a security software installation page for a South Korean B2B messaging service. Given the nature of the lure, it is suspected that the activity may have been specifically designed to isolate message controllers within business environments.

The page claims to offer two security tools: a firewall and a keyboard protection program. Once unsuspecting users start the download, it triggers the download of two executables – “nos-setup.exe” and “astx-setup.exe” – that attack nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the difference in name, the malicious behavior embedded in it is the same.

The main responsibility of the binaries is to initiate the loading of the second-stage DLL (“MemLoader.dll”) with “regsvr32.exe,” after which a batch script is run to remove them from disk. The DLL receives persistence from the host using a scheduled function and contacts the command and control server (C2) to receive an unknown payload.

“The attacker may have monitored GET requests from the malware and chose to deliver payloads to specific victims,” ​​ENKI said.

In one campaign seen in April 2026, a fake web page impersonating Cisco Webex was allegedly used to display a pop-up message urging the victim to download and run a script to fix camera access issues. Doing so results in the retrieval of a ZIP archive containing an encrypted JavaScript (JSE) file (“fix-camera.jse”).

The execution of the JSE file results in the execution of an intermediate downloader (“mTSTCv8.mdxm”) using PowerShell, which then runs anti-analysis checks and communicates with the C2 server to download the next-stage malware (“engine.dat” or “spyInster.dll”). In the final stage, the DLL drops a loader component (“cacheMon.dat”) which, in turn, executes HTTPSpy on the vulnerable system.

HTTPSpy is a full-featured remote access trojan that supports a variety of capabilities for running shell commands, uploading/downloading files, executing processes, taking screenshots, injecting DLL paths into specified PID processes, and finally deleting them.

This is not the first time Kimsuky has used HTTPSpy. In its 2025 European Threat Landscape Report, CrowdStrike said a hacker group is likely to target employees of a German security company in a phishing campaign that spreads malware between May 2024 and at least September 2024. The first use of HTTPSpy began in 2022.

At the same time, the malware also downloads and opens an HTML file named “meeting.html,” which immediately redirects the victim to a Webex meeting room. Accessing the URL opens the official Webex meeting room associated with the actual scheduled event happening at the same time.

“This indicates that an attacker could compromise a service member’s device or account to get a meeting schedule, then create a fake meeting page to spread malware to other attendees,” the cybersecurity firm said.

ENKI said it also found more fake web pages that query the malware’s local server on the victim’s machine via JSONP (JSON with Padding) to confirm the malware’s release status and show an installation command if it doesn’t work. The method is codenamed JSONPing. However, the exact nature of the downloaded malware remains unknown as the URL is currently defunct.

“Kimsuky went beyond spreading malware, introducing sophisticated methods to increase delivery success, including verifying the infection in real-time with JSONPing and creating a fake page using a hacked assembly routine,” ENKI said.

Kimsuky Changes with HelloDoor and HttpMalice

This disclosure comes as Kaspersky detailed the threat actor’s use of Microsoft Visual Studio Code (VS Code), Cloudflare Quick Tunnels, DWAgent, large language types (LLMs), and the Rust programming language in its latest campaigns, highlighting its ongoing adaptation and evolution.

“Specifically, Kimsuky used legitimate VS Code extraction methods to establish persistence and distribute the DWAgent remote monitoring and management tool for post-exploitation activities,” the Russian cybersecurity firm said. “These activities affected various sectors in South Korea, affecting public and private organizations.”

It was found that the attack chains rely on a variety of drops written in JSE, PIF, SCR, and EXE to deliver two broad families of malware: PebbleDash and AppleSeed. While PebbleDash attacks have also been recorded against security agencies in Brazil and Germany, the AppleSeed cluster has mostly targeted government agencies.

Some of the key families of malware delivered by downloaders are as follows:

• HelloDoorPebbleDash variant based on Rust first discovered in August 2025 and possibly developed using LLM. It supports basic functionality to set the current directory, sleep for a specified period of time, and execute commands.
• HttpMaliceThe latest backdoor variant of PebbleDash, appeared no later than December 2025. It comes with the ability to gather information about a compromised system, set persistence, perform tests using native Windows commands, capture screenshots, load downloaded payloads into memory, execute commands, and generate debug output.
• HttpTroya backdoor delivered via a loader called MemLoad, allows file loading/unloading, screenshot capture, command execution, memory loading of executables, reverse shell, process termination, and trace deletion.
• AppleSeedcomes in two variants: Dropper and Spy. The Dropper is responsible for downloading additional malware and executing commands received from its C2 server. The Spy version collects sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. This includes harvesting data from the C:GPKI directory, mirroring the same feature used in Troll Stealer.
• HappyDooran improved version of AppleSeed that first appeared in 2021.

Another notable tactical change involves the abuse of the official VS Code Remote Tunneling feature to gain private access to the victim’s device, thereby eliminating the need for traditional malware-based C2 channels. This method is also highlighted by Darktrace and Logpresso.

“Our analysis shows that the actor maintains access to the original source code of the malware cluster and the ability to modify it,” said Kaspersky researcher Sojun Ryu. “The two clusters have overlapping target sectors that include the defense, military, government, medical, mechanical, and energy industries.”

“The AppleSeed cluster is shifting its focus to data filtering, and GPKI certificate issuance has become a signature capability. Meanwhile, the PebbleDash cluster features improved remote control capabilities and an expanded set of objectives.”