Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Kimsuky Expands Cyber Arsenal with New Techniques

Kimsuky Expands Cyber Arsenal with New Techniques

Posted on May 29, 2026 By CWS

The North Korean hacker group known as Kimsuky, also referred to as Velvet Chollima, has been linked to a new wave of cyber assaults targeting South Korean military and corporate sectors during March and April 2026. This state-sponsored group has been known to employ advanced social engineering tactics, including the mimicking of security software and fake Webex meeting pages, to deceive their targets, according to a report by ENKI released this week.

Deceptive Tactics and Malware Deployment

In this recent campaign, Kimsuky utilized a variant of the malware family known as HTTPSpy, presenting it as legitimate installers from South Korean security software providers. This approach has been a consistent part of their strategy since 2023. The attackers created a fraudulent web page resembling the installation page of a South Korean messaging service, aiming to target messaging administrators within corporate environments. The page falsely advertised two security tools, leading to the download of malicious executables disguised as genuine security software.

The downloaded executables, “nos-setup.exe” and “astx-setup.exe,” masqueraded as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in names, both carried out the same malicious actions. Once activated, these files launched a secondary DLL payload, “MemLoader.dll,” using “regsvr32.exe” and then deleted themselves. The DLL established persistence through a scheduled task and connected to a command-and-control server to download further payloads.

Innovative Techniques and Sophisticated Operations

In another operation observed in April 2026, Kimsuky utilized a counterfeit Cisco Webex page to prompt victims into downloading a script under the pretense of resolving camera access issues. This script extracted a ZIP archive containing an encrypted JavaScript file, which upon execution, initiated an intermediate downloader using PowerShell. The downloader performed anti-analysis checks and connected with a C2 server to fetch additional malware. This elaborate scheme demonstrated Kimsuky’s ability to innovate and adapt their methods.

HTTPSpy, a comprehensive remote access trojan, was deployed in these attacks, allowing the attackers to execute commands, manage files, capture screenshots, and erase traces from compromised systems. This malware has a history of being used by Kimsuky, with its initial use traced back to 2022 and previous deployments against European targets in 2024.

Expanding Arsenal with New Tools

Kimsuky’s latest strategies include leveraging Microsoft Visual Studio Code (VS Code) tunneling and Cloudflare Quick Tunnels for covert access, as detailed by Kaspersky. These techniques enable the group to establish persistence and facilitate post-exploitation activities. The group has also been found using diverse droppers to distribute malware families such as PebbleDash and AppleSeed, targeting both public and private entities in South Korea.

Key among these malware variants is HelloDoor, a Rust-based version of PebbleDash, and HttpMalice, a backdoor that emerged in late 2025. These tools exhibit advanced functionalities like system reconnaissance, persistent access, and data exfiltration. The use of legitimate VS Code tunneling further signifies a shift towards more sophisticated tactics, reducing reliance on traditional malware C2 channels.

As Kimsuky continues to enhance its cyber arsenal, the threat landscape remains complex and dynamic. Security experts emphasize the necessity for vigilance and robust defenses to counter such evolving threats.

The Hacker News Tags:APT, cyber attack, cyber espionage, cyber threat, Cybersecurity, HelloDoor, HTTPSpy, Kimsuky, Malware, North Korea, social engineering, South Korea, VS Code Tunnels

Post navigation

Previous Post: VS Code Remote-SSH Vulnerability Threatens Cloud Security
Next Post: Fake RVTools Installer Exploits Certificate to Evade Security

Related Posts

Critical Linux Vulnerability Exposes Systems to Root Attacks Critical Linux Vulnerability Exposes Systems to Root Attacks The Hacker News
GlassWorm Campaign Targets Developer IDEs with Zig Dropper GlassWorm Campaign Targets Developer IDEs with Zig Dropper The Hacker News
VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption VolkLocker Ransomware Exposed by Hard-Coded Master Key Allowing Free Decryption The Hacker News
Compromised Nx Console Targets VS Code with Credential Theft Compromised Nx Console Targets VS Code with Credential Theft The Hacker News
Threat Actors Exploit Vulnerability to Access Next.js Hosts Threat Actors Exploit Vulnerability to Access Next.js Hosts The Hacker News
Ransomware Negotiator Sentenced for BlackCat Involvement Ransomware Negotiator Sentenced for BlackCat Involvement The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion
  • LabubaRAT Disguises as NVIDIA Software to Infiltrate Systems
  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion
  • LabubaRAT Disguises as NVIDIA Software to Infiltrate Systems
  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark