Kimsuky’s Evolving Cyber Tactics: Deploying HTTPSpy and Expanding Arsenal with HelloDoor and VS Code Tunnels
The North Korean state-sponsored cyber espionage group, Kimsuky (also known as Velvet Chollima), has intensified its cyber operations, targeting South Korean military and corporate sectors between March and April 2026. Utilizing sophisticated social engineering techniques, Kimsuky has introduced new tools and methodologies to enhance its cyberattack capabilities.
Sophisticated Social Engineering Tactics
Kimsuky’s recent campaigns have demonstrated a high level of sophistication in social engineering. The group has been observed spoofing security software installation pages and creating counterfeit Webex meeting pages that leverage legitimate meeting schedules. These deceptive strategies aim to trick users into downloading malicious payloads, thereby compromising their systems.
Deployment of HTTPSpy Malware
A significant aspect of Kimsuky’s recent operations is the deployment of a variant of the HTTPSpy malware. This malware is disguised as installers from South Korean security software, a tactic the group has consistently employed since 2023. In March 2026, Kimsuky propagated malicious payloads through a fake web page impersonating the security software installation page of a South Korean B2B messaging service. This approach suggests a targeted effort to compromise messaging administrators within corporate environments.
The counterfeit page offered two security tools: a firewall and a keyboard security program. Unsuspecting users who initiated the download received executables named nos-setup.exe and astx-setup.exe, masquerading as nProtect Online Security and AhnLab Safe Transaction (ASTx), respectively. Despite the different names, both executables exhibited identical malicious behavior.
Upon execution, these binaries launched a second-stage DLL payload (MemLoader.dll) via regsvr32.exe and subsequently ran a batch script to delete themselves from the disk. The DLL established persistence on the host using a scheduled task and contacted a command-and-control (C2) server to retrieve an unknown payload. This method indicates that the attackers likely monitored recurring GET requests from the malware and selectively delivered payloads to specific victims.
Exploitation of Webex Meetings
In April 2026, Kimsuky employed another deceptive tactic by creating a counterfeit Webex meeting page. This fake page displayed a pop-up message urging victims to download and run a script to resolve camera access issues. Executing this script led to the retrieval of a ZIP archive containing an encrypted JavaScript (JSE) file named fix-camera.jse.
Running the JSE file deployed an intermediate downloader (mTSTCv8.mdxm) using PowerShell, which performed anti-analysis checks and contacted a C2 server to fetch the next-stage malware (engine.dat or spyInster.dll). In the final stage, the DLL dropped a loader component (cacheMon.dat) that executed HTTPSpy on the compromised system.
HTTPSpy is a comprehensive remote access trojan (RAT) capable of executing shell commands, uploading and downloading files, running processes, capturing screenshots, injecting DLL paths into specified PID processes, and erasing itself from the endpoint. This is not the first instance of Kimsuky deploying HTTPSpy; the malware’s use dates back to 2022. In its 2025 European Threat Landscape Report, CrowdStrike noted that Kimsuky likely targeted a German defense manufacturer’s employees via a credential phishing campaign deploying HTTPSpy between May and September 2024.
Simultaneously, the malware dropped and opened an HTML file named meeting.html, which immediately redirected the victim to a legitimate Webex meeting room associated with an actual scheduled event. This indicates that the attacker likely compromised a service member’s device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to other attendees.
Introduction of HelloDoor and VS Code Tunnels
In addition to HTTPSpy, Kimsuky has expanded its arsenal with new tools such as HelloDoor and VS Code Tunnels. HelloDoor is a backdoor that allows attackers to gain unauthorized access to compromised systems, enabling them to execute commands and exfiltrate data. VS Code Tunnels, on the other hand, are used to establish secure tunnels for remote access, facilitating the covert transfer of data between the attacker and the compromised system.
Implications and Recommendations
Kimsuky’s evolving tactics underscore the persistent and adaptive nature of state-sponsored cyber threats. The use of sophisticated social engineering techniques, combined with the deployment of advanced malware and tools, poses a significant risk to organizations.
To mitigate these threats, organizations should implement the following measures:
1. User Education and Awareness: Conduct regular training sessions to educate employees about the dangers of phishing attacks and the importance of verifying the authenticity of emails and web pages.
2. Advanced Threat Detection: Deploy advanced threat detection systems capable of identifying and mitigating sophisticated malware and intrusion attempts.
3. Regular Software Updates: Ensure that all software and systems are regularly updated to patch known vulnerabilities that could be exploited by attackers.
4. Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security, making it more difficult for attackers to gain unauthorized access.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure a swift and effective response to potential security breaches.
By adopting these measures, organizations can enhance their resilience against the evolving tactics of threat actors like Kimsuky and better protect their sensitive information and systems.
