The North Korean threat group Kimsuky (also known as Velvet Chollima) carried out a series of targeted attacks against South Korean military and corporate entities in March–April 2026, using fake installation pages for security software, a spoofed Cisco Webex interface, and a new variant of the remote access trojan HTTPSpy. According to South Korean company ENKI, the attackers implemented a real-time infection-check mechanism via JSONP requests — a technique dubbed JSONPing. In parallel, a Kaspersky study observed an expansion of Kimsuky’s toolkit through tunneling via VS Code, the DWAgent tool, and malware written in Rust. Organizations in the defense, government, and energy sectors should immediately scan their networks for indicators of compromise related to these campaigns.
March campaign: posing as security software
In March 2026, according to ENKI, Kimsuky created a fake web page masquerading as the installation portal for security tools of a South Korean B2B messenger. The page offered downloads for two tools — a firewall and keystroke protection software. This choice of lure suggests the likely targets were administrators of corporate messaging systems.
When attempting to download, the victim received one of two executables — nos-setup.exe (masquerading as nProtect Online Security) or astx-setup.exe (impersonating AhnLab Safe Transaction). Despite the different names, both files exhibited identical malicious behavior: launching the second-stage DLL module MemLoader.dll via the regsvr32.exe system utility, followed by deletion of the original file using a batch script. The DLL achieved persistence through a scheduled task and established contact with a command-and-control server to receive additional payloads.
The tactic of disguising malware as South Korean security products is not new for Kimsuky. According to AhnLab ASEC and ALYac, the group has been systematically using this approach since at least 2023.
April campaign: fake Webex and schedule theft
In April 2026, the attackers switched to a different social engineering vector: a fake Cisco Webex page displayed a pop-up window prompting the user to download a script to “fix camera issues.” Executing the script led to the download of a ZIP archive containing an encrypted JavaScript file, fix-camera.jse.
The infection chain looked as follows:
- Executing fix-camera.jse deployed an intermediate loader, mTSTCv8.mdxm, via PowerShell.
- The loader performed checks for analysis tools and contacted the command server for the next stage — the files engine.dat or spyInster.dll.
- The final DLL installed the loader component cacheMon.dat, which in turn launched HTTPSpy itself.
One noteworthy detail: simultaneously with the infection, the malware opened an HTML file, meeting.html, which redirected the victim to a real Webex room with an actual scheduled meeting. According to ENKI’s assessment, this implies the attackers likely compromised the device or account of one of the service members, gained access to the meeting schedule, and used it to craft a convincing lure aimed at the other meeting participants.
HTTPSpy and the JSONPing technique
HTTPSpy is a fully featured remote access trojan supporting shell command execution, file upload and download, process execution, screenshot capture, DLL injection into specified processes by PID, and self-removal from the endpoint. According to the CrowdStrike 2025 European Threat Landscape report, Kimsuky is believed to have used HTTPSpy to attack employees of a German defense contractor between May and September 2024.
The JSONPing technique deserves special attention: ENKI discovered additional fake web pages that, via JSONP requests, queried a local server deployed by the malware on the victim’s machine to check the infection status. If the malware was not running, the page displayed a repeated prompt to install. This real-time verification mechanism allowed the attackers to confirm successful delivery and, if needed, retry the attempt.
Arsenal evolution: from AppleSeed to HelloDoor
Alongside the ENKI report, Kaspersky published a detailed analysis of two main Kimsuky malware clusters — PebbleDash and AppleSeed — demonstrating significant evolution:
- HelloDoor — a Rust-based PebbleDash variant first detected in August 2025. According to researchers, it was likely developed with the help of a large language model.
- HttpMalice — the newest backdoor in the PebbleDash family (no later than December 2025), capable of collecting system information, achieving persistence, performing reconnaissance using native Windows tools, capturing the screen, loading payloads into memory, and exfiltrating command execution results.
- HttpTroy — a backdoor supporting reverse shell, file download, in-memory execution, and artifact cleanup.
- AppleSeed (Dropper and Spy variants) — the spy variant collects documents, screenshots, keystrokes, lists of USB drives, and data from the C:\GPKI directory, indicating a targeted interest in government PKI certificates.
Kaspersky also observed Kimsuky using the legitimate VS Code Remote Tunneling mechanism for covert remote access — a technique independently confirmed by Darktrace and Logpresso. This approach eliminates the need for traditional C2 communication channels, making detection significantly more difficult.
Impact assessment
According to Kaspersky, the two Kimsuky malware clusters target overlapping sectors: defense, military, government agencies, healthcare, machine manufacturing, and energy. PebbleDash attacks have been recorded not only in South Korea but also against defense organizations in Brazil and Germany, indicating an expansion of the group’s operational geography. The AppleSeed cluster, researchers note, is shifting its focus toward data exfiltration, with extraction of GPKI certificates emerging as a defining capability.
The use of real meeting schedules to craft lures means that compromising a single device can lead to cascading infections among all participants in work meetings — an especially dangerous scenario for military and government organizations.
Protection recommendations
- Check the network for the presence of files named in the list of indicators: nos-setup.exe, astx-setup.exe, MemLoader.dll, fix-camera.jse, mTSTCv8.mdxm, engine.dat, spyInster.dll, cacheMon.dat, meeting.html.
- Review scheduled tasks for suspicious entries created via regsvr32.exe.
- Restrict or monitor the use of VS Code Remote Tunneling and Cloudflare Quick Tunnels in the corporate environment — these legitimate services are actively used by Kimsuky to evade detection.
- Block the execution of JSE files via Group Policy if this format is not required for business processes.
- Tighten controls around downloading security software: security tools should only be installed from verified internal repositories, not from external web pages.
- Audit the C:\GPKI directory for unauthorized access — extraction of government PKI certificates is a priority objective of the AppleSeed cluster.
The Kimsuky campaigns of March–April 2026 illustrate a shift from mass malware distribution to surgically precise operations: stealing schedules to craft convincing lures, real-time infection verification via JSONPing, and abusing legitimate development tools to conceal C2 channels. Defense and government organizations in South Korea, as well as their international partners, should urgently scan their environments for the listed indicators and restrict the use of VS Code Remote Tunneling until investigations are complete.
