Kimsuky Deploys HTTPSpy and New Malware Arsenal in Advanced Multi-Stage Cyber Espionage Campaign

Kimsuky Expands Cyber Arsenal with HTTPSpy, HelloDoor, and Advanced VS Code–Based Attack Tools

The North Korean state-sponsored hacking group Kimsuky, also known as Velvet Chollima, has been linked to a new wave of cyberattacks targeting South Korean military and corporate organizations during March and April 2026. The campaign highlights the group’s continued evolution and increasingly sophisticated toolset.

Researchers report that Kimsuky relied heavily on tailored social engineering techniques, including fake security software installation pages and counterfeit Webex meeting invitations designed to trick victims into downloading malware.

In one campaign, attackers created a spoofed installation portal impersonating South Korean business messaging and security software. Victims were presented with fake tools such as firewall and keyboard security programs. When downloaded, these files disguised themselves as legitimate installers but actually delivered malicious executables that mimicked well-known security products.

Once executed, the malware launched a second-stage DLL payload through system tools, followed by scripts that removed traces of the initial infection. The DLL established persistence using scheduled tasks and communicated with command-and-control servers to retrieve additional payloads. Analysts noted that attackers appeared to selectively deliver payloads based on monitoring victim activity.

In a separate campaign in April 2026, Kimsuky used a fake Cisco Webex page to lure victims into running a script under the pretense of fixing camera-related issues. This led to the download of a compressed archive containing encrypted JavaScript, which then executed a multi-stage infection chain involving PowerShell scripts, downloader components, and additional payloads.

The final stage deployed a remote access trojan known as HTTPSpy. This malware enables attackers to execute commands, transfer files, capture screenshots, inject code into processes, and maintain persistent control over compromised systems. It also includes self-deletion features to reduce forensic traces.

Researchers noted that Kimsuky has used HTTPSpy in earlier operations as well, including campaigns targeting European defense organizations. The malware has been in circulation since at least 2022.

Another notable tactic involved fake Webex meeting pages that redirected victims to legitimate meeting rooms tied to real events. Investigators believe attackers may have compromised a participant’s account or device to obtain meeting schedules, which were then reused to construct convincing phishing lures.

Some infection chains also used a technique called JSONPing, where malware running on a victim’s device communicates with a local server to confirm infection status and trigger further payload delivery. However, parts of this infrastructure are no longer active, limiting full analysis.

Security researchers also discovered that Kimsuky has adopted modern development and operational tools, including Microsoft Visual Studio Code tunnel features, Cloudflare Quick Tunnels, remote management utilities like DWAgent, and even large language models to assist in development. These tools help the group maintain persistence and improve operational flexibility.

Recent campaigns deliver multiple malware families, including PebbleDash variants and AppleSeed-based tools. PebbleDash attacks have been observed targeting defense organizations in multiple countries, while AppleSeed activity is largely focused on government entities.

Among the newly identified tools are HelloDoor, a Rust-based backdoor likely assisted by AI-assisted development, and HttpMalice, a newer PebbleDash variant capable of system reconnaissance, screenshot capture, persistence creation, and command execution. Another tool, HttpTroy, provides extensive remote access capabilities including file operations, reverse shell access, and process control.

Older malware families such as AppleSeed continue to evolve, with variants capable of stealing sensitive documents, screenshots, keystrokes, USB data, and government credential files. An advanced version known as HappyDoor has also been identified as part of the group’s long-term toolkit.

Overall, analysts say Kimsuky has significantly expanded its operational sophistication, combining advanced social engineering, legitimate cloud tools, and evolving malware families to improve stealth, persistence, and effectiveness in targeted espionage campaigns.