North Korean state sponsored cyber threat actor Kimsuky, also known as Velvet Chollima, has been linked to a fresh wave of cyberattacks targeting South Korean military and corporate entities during March and April 2026. According to cybersecurity firm ENKI, the threat group adopted carefully designed social engineering tactics, including spoofed security software installation portals and counterfeit Cisco Webex meeting pages to distribute malware. Researchers found that the campaigns delivered an updated version of the HTTPSpy malware family, a remote access trojan Kimsuky has consistently used since 2023 by disguising malicious files as trusted South Korean security software installers.
In one campaign observed in March 2026, Kimsuky reportedly created a fraudulent webpage imitating the software installation page of a South Korean business to business messaging platform. Researchers believe the operation may have specifically targeted corporate messaging administrators due to the nature of the lure. Victims visiting the page were presented with downloads for what appeared to be security applications including a firewall and keyboard protection software. Downloading these files triggered executables disguised as nProtect Online Security and AhnLab Safe Transaction installers, identified as “nos-setup.exe” and “astx-setup.exe.” Despite different filenames, researchers said both files executed the same malicious functions. Once launched, the binaries executed a second stage DLL payload named “MemLoader.dll” through “regsvr32.exe,” followed by a batch script that erased traces of the installer from the infected machine. The malware then established persistence through scheduled tasks and communicated with a command and control server to retrieve additional payloads, with ENKI noting that attackers likely monitored victim communications and selectively delivered malware to intended targets.
Another campaign identified in April 2026 involved a fake Webex webpage designed to exploit access to legitimate meeting schedules. Victims were shown a message claiming camera related issues required a script download to restore functionality. Executing the downloaded ZIP archive initiated an encrypted JavaScript file called “fix-camera.jse,” which used PowerShell to retrieve an intermediate downloader before conducting anti analysis checks and contacting a remote server for further payloads. The attack eventually deployed HTTPSpy through multiple malware stages, enabling capabilities such as shell command execution, file transfers, screenshot capture, DLL injection, and self deletion from compromised systems. Researchers said the malware simultaneously opened an HTML file that redirected users to a legitimate Webex meeting associated with an actual scheduled event, suggesting attackers may have compromised an attendee’s account or device to obtain meeting information and lure participants into executing malware. ENKI also identified a technique known as JSONPing, where counterfeit web pages communicate with malware running on a victim’s device through a local server to verify infection status and prompt software installation if the malicious code has not yet executed.
Separately, cybersecurity company Kaspersky reported that Kimsuky has expanded its toolkit by incorporating legitimate remote access services including Microsoft Visual Studio Code remote tunneling, Cloudflare Quick Tunnels, and DWAgent to maintain access after compromising systems. Researchers said the group increasingly uses droppers written in formats such as JSE, PIF, SCR, and EXE to deploy malware families including PebbleDash and AppleSeed across sectors such as defense, government, healthcare, machinery, and energy. Among the newly observed malware is HelloDoor, a Rust based PebbleDash variant believed to have been developed with assistance from large language models, supporting command execution and system control features. Another malware strain, HttpMalice, provides reconnaissance, persistence, screenshot capture, payload loading, and data exfiltration capabilities. Kaspersky also noted Kimsuky’s growing use of legitimate VS Code remote tunneling to create covert remote access channels, reducing dependence on traditional command and control infrastructure while continuing to expand cyber operations against public and private entities in South Korea and beyond.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
