The North Korean hacker group known as Kimsuky, also referred to as Velvet Chollima, has been linked to a new wave of cyber assaults targeting South Korean military and corporate sectors during March and April 2026. This state-sponsored group has been known to employ advanced social engineering tactics, including the mimicking of security software and fake Webex meeting pages, to deceive their targets, according to a report by ENKI released this week.
Deceptive Tactics and Malware Deployment
In this recent campaign, Kimsuky utilized a variant of the malware family known as HTTPSpy, presenting it as legitimate installers from South Korean security software providers. This approach has been a consistent part of their strategy since 2023. The attackers created a fraudulent web page resembling the installation page of a South Korean messaging service, aiming to target messaging administrators within corporate environments. The page falsely advertised two security tools, leading to the download of malicious executables disguised as genuine security software.
The downloaded executables, “nos-setup.exe” and “astx-setup.exe,” masqueraded as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in names, both carried out the same malicious actions. Once activated, these files launched a secondary DLL payload, “MemLoader.dll,” using “regsvr32.exe” and then deleted themselves. The DLL established persistence through a scheduled task and connected to a command-and-control server to download further payloads.
Innovative Techniques and Sophisticated Operations
In another operation observed in April 2026, Kimsuky utilized a counterfeit Cisco Webex page to prompt victims into downloading a script under the pretense of resolving camera access issues. This script extracted a ZIP archive containing an encrypted JavaScript file, which upon execution, initiated an intermediate downloader using PowerShell. The downloader performed anti-analysis checks and connected with a C2 server to fetch additional malware. This elaborate scheme demonstrated Kimsuky’s ability to innovate and adapt their methods.
HTTPSpy, a comprehensive remote access trojan, was deployed in these attacks, allowing the attackers to execute commands, manage files, capture screenshots, and erase traces from compromised systems. This malware has a history of being used by Kimsuky, with its initial use traced back to 2022 and previous deployments against European targets in 2024.
Expanding Arsenal with New Tools
Kimsuky’s latest strategies include leveraging Microsoft Visual Studio Code (VS Code) tunneling and Cloudflare Quick Tunnels for covert access, as detailed by Kaspersky. These techniques enable the group to establish persistence and facilitate post-exploitation activities. The group has also been found using diverse droppers to distribute malware families such as PebbleDash and AppleSeed, targeting both public and private entities in South Korea.
Key among these malware variants is HelloDoor, a Rust-based version of PebbleDash, and HttpMalice, a backdoor that emerged in late 2025. These tools exhibit advanced functionalities like system reconnaissance, persistent access, and data exfiltration. The use of legitimate VS Code tunneling further signifies a shift towards more sophisticated tactics, reducing reliance on traditional malware C2 channels.
As Kimsuky continues to enhance its cyber arsenal, the threat landscape remains complex and dynamic. Security experts emphasize the necessity for vigilance and robust defenses to counter such evolving threats.
