Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Kimsuky Expands Cyber Arsenal with New Techniques

Kimsuky Expands Cyber Arsenal with New Techniques

Posted on May 29, 2026 By CWS

The North Korean hacker group known as Kimsuky, also referred to as Velvet Chollima, has been linked to a new wave of cyber assaults targeting South Korean military and corporate sectors during March and April 2026. This state-sponsored group has been known to employ advanced social engineering tactics, including the mimicking of security software and fake Webex meeting pages, to deceive their targets, according to a report by ENKI released this week.

Deceptive Tactics and Malware Deployment

In this recent campaign, Kimsuky utilized a variant of the malware family known as HTTPSpy, presenting it as legitimate installers from South Korean security software providers. This approach has been a consistent part of their strategy since 2023. The attackers created a fraudulent web page resembling the installation page of a South Korean messaging service, aiming to target messaging administrators within corporate environments. The page falsely advertised two security tools, leading to the download of malicious executables disguised as genuine security software.

The downloaded executables, “nos-setup.exe” and “astx-setup.exe,” masqueraded as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in names, both carried out the same malicious actions. Once activated, these files launched a secondary DLL payload, “MemLoader.dll,” using “regsvr32.exe” and then deleted themselves. The DLL established persistence through a scheduled task and connected to a command-and-control server to download further payloads.

Innovative Techniques and Sophisticated Operations

In another operation observed in April 2026, Kimsuky utilized a counterfeit Cisco Webex page to prompt victims into downloading a script under the pretense of resolving camera access issues. This script extracted a ZIP archive containing an encrypted JavaScript file, which upon execution, initiated an intermediate downloader using PowerShell. The downloader performed anti-analysis checks and connected with a C2 server to fetch additional malware. This elaborate scheme demonstrated Kimsuky’s ability to innovate and adapt their methods.

HTTPSpy, a comprehensive remote access trojan, was deployed in these attacks, allowing the attackers to execute commands, manage files, capture screenshots, and erase traces from compromised systems. This malware has a history of being used by Kimsuky, with its initial use traced back to 2022 and previous deployments against European targets in 2024.

Expanding Arsenal with New Tools

Kimsuky’s latest strategies include leveraging Microsoft Visual Studio Code (VS Code) tunneling and Cloudflare Quick Tunnels for covert access, as detailed by Kaspersky. These techniques enable the group to establish persistence and facilitate post-exploitation activities. The group has also been found using diverse droppers to distribute malware families such as PebbleDash and AppleSeed, targeting both public and private entities in South Korea.

Key among these malware variants is HelloDoor, a Rust-based version of PebbleDash, and HttpMalice, a backdoor that emerged in late 2025. These tools exhibit advanced functionalities like system reconnaissance, persistent access, and data exfiltration. The use of legitimate VS Code tunneling further signifies a shift towards more sophisticated tactics, reducing reliance on traditional malware C2 channels.

As Kimsuky continues to enhance its cyber arsenal, the threat landscape remains complex and dynamic. Security experts emphasize the necessity for vigilance and robust defenses to counter such evolving threats.

The Hacker News Tags:APT, cyber attack, cyber espionage, cyber threat, Cybersecurity, HelloDoor, HTTPSpy, Kimsuky, Malware, North Korea, social engineering, South Korea, VS Code Tunnels

Post navigation

Previous Post: VS Code Remote-SSH Vulnerability Threatens Cloud Security
Next Post: Fake RVTools Installer Exploits Certificate to Evade Security

Related Posts

New Flaws and AI Threats Shape Cybersecurity Landscape New Flaws and AI Threats Shape Cybersecurity Landscape The Hacker News
Why Early Threat Detection Is a Must for Long-Term Business Growth Why Early Threat Detection Is a Must for Long-Term Business Growth The Hacker News
FortiClient EMS Flaw Exploited by Hackers for Data Theft FortiClient EMS Flaw Exploited by Hackers for Data Theft The Hacker News
Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack The Hacker News
Magento Flaw Risks RCE and Account Security Magento Flaw Risks RCE and Account Security The Hacker News
North Korean Hackers Use Fake Microsoft Alerts to Spread NarwhalRAT North Korean Hackers Use Fake Microsoft Alerts to Spread NarwhalRAT The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark