North Korean state-sponsored threat actor Kimsuky, also known as Velvet Chollima, has been linked to a new wave of cyberattacks targeting South Korean military organizations and private-sector companies during March and April 2026. Security researchers have observed the group employing increasingly sophisticated social engineering techniques to distribute malware and compromise high-value targets.
Fake Security Software Used to Deliver Malware
According to cybersecurity firm ENKI, Kimsuky has continued its long-running tactic of disguising malware as legitimate South Korean security software installers. The latest attacks delivered a variant of the remote access trojan (RAT) known as HTTPSpy, a malware family the group has used since at least 2022.
In a campaign identified in March 2026, attackers created a fraudulent webpage impersonating the software installation portal of a South Korean business-to-business messaging service. Researchers believe the operation was specifically designed to target messaging administrators working within corporate environments.
The fake website offered downloads for two supposed security tools—a firewall application and a keyboard security program. Victims who attempted to install the software received malicious executables named nos-setup.exe and astx-setup.exe, which masqueraded as trusted security products including nProtect Online Security and AhnLab Safe Transaction (ASTx).
Although the filenames differed, both executables performed the same malicious functions.
Multi-Stage Infection Process
Once executed, the malicious files launched a second-stage DLL payload called MemLoader.dll using the Windows utility regsvr32.exe. A batch script then removed the original installer files to reduce forensic evidence.
The DLL established persistence through a scheduled task and repeatedly communicated with a command-and-control (C2) server while awaiting additional malware payloads.
Researchers believe the attackers selectively delivered follow-on malware only to chosen victims after monitoring the infected systems’ network requests.
Fake Cisco Webex Pages Target Meeting Participants
In a separate campaign discovered in April 2026, Kimsuky created counterfeit Cisco Webex meeting pages to lure victims.
Visitors to the fake site were shown a pop-up warning claiming their camera could not be accessed and instructing them to download a fix. The download contained a ZIP archive with an encrypted JavaScript file named fix-camera.jse.
Executing the script triggered a complex infection chain:
- PowerShell downloaded an intermediate malware loader.
- Anti-analysis checks were performed to evade detection.
- The malware contacted a remote C2 server.
- Additional payloads such as engine.dat or spyInster.dll were retrieved.
- A loader component called cacheMon.dat was deployed.
- HTTPSpy was ultimately installed on the compromised device.
HTTPSpy Provides Extensive Remote Control Capabilities
HTTPSpy functions as a full-featured remote access trojan capable of:
- Executing shell commands
- Uploading and downloading files
- Running processes remotely
- Capturing screenshots
- Injecting DLLs into active processes
- Removing traces of infection
The malware has been linked to previous Kimsuky operations. CrowdStrike previously reported that the group targeted employees of a German defense contractor between May and September 2024 using credential phishing campaigns that deployed HTTPSpy.
Stolen Meeting Schedules Used as Lures
One particularly notable aspect of the April campaign was the use of legitimate meeting information.
Alongside the malware, victims received an HTML file named meeting.html, which redirected them to a real Webex meeting room associated with an actual scheduled event occurring at the same time.
Researchers believe Kimsuky may have compromised a participant’s device or account to obtain authentic meeting schedules. The attackers then used that information to create convincing phishing pages targeting other attendees.
New “JSONPing” Technique Improves Infection Success
ENKI also uncovered additional fake webpages utilizing a technique dubbed JSONPing.
These pages queried a local server established by the malware on the victim’s machine using JSONP (JSON with Padding). The mechanism allowed attackers to verify whether the malware had successfully executed before displaying installation prompts.
This real-time infection verification system demonstrates Kimsuky’s growing focus on maximizing malware delivery success rates.
Kimsuky Adopts VS Code Tunnels and AI-Assisted Development
Separately, cybersecurity researchers at Kaspersky reported that Kimsuky has expanded its toolkit by incorporating:
- Microsoft Visual Studio Code Remote Tunneling
- Cloudflare Quick Tunnels
- DWAgent remote management software
- Rust-based malware
- Large Language Models (LLMs)
By abusing legitimate remote access technologies such as VS Code Tunneling, attackers can maintain persistent access to victim systems without relying solely on traditional malware command-and-control infrastructure.
New Malware Families Identified
Kaspersky identified several malware families currently being deployed by Kimsuky.
HelloDoor
First observed in August 2025, HelloDoor is a Rust-based malware variant believed to have been partially developed with assistance from large language models. It supports command execution, directory management, and configurable sleep intervals.
HttpMalice
Emerging in late 2025, HttpMalice represents the latest evolution of the PebbleDash malware family. It can:
- Collect system information
- Establish persistence
- Perform reconnaissance
- Capture screenshots
- Load payloads directly into memory
- Execute remote commands
- Exfiltrate stolen data
HttpTroy
Delivered through a loader known as MemLoad, HttpTroy supports:
- File transfers
- Screenshot capture
- Remote command execution
- Reverse shell access
- In-memory payload execution
- Trace removal
AppleSeed
AppleSeed exists in two primary variants:
AppleSeed Dropper
- Downloads additional malware
- Executes attacker-issued commands
AppleSeed Spy
- Collects documents
- Captures screenshots
- Records keystrokes
- Enumerates USB devices
- Extracts data from South Korea’s Government Public Key Infrastructure (GPKI) directories
HappyDoor
HappyDoor is an advanced AppleSeed derivative that has been active since 2021 and continues to evolve.
Defense, Government, and Critical Industries Remain Primary Targets
Researchers note that Kimsuky’s operations continue to focus on organizations in sectors including:
- Defense
- Military
- Government
- Healthcare
- Manufacturing
- Energy
Kaspersky researchers concluded that the threat actor retains access to its original malware source code and actively modifies its toolsets to evade detection and expand operational capabilities.
The group’s increasing use of legitimate services, advanced social engineering tactics, and evolving malware families highlights its ongoing commitment to cyber espionage operations targeting strategically important organizations.
