Kimsuky used HTTPSpy, fake Webex lures and VS Code tunnels

North Korea-linked threat actor Kimsuky ran campaigns in March and April 2026 that targeted South Korean military and corporate entities. The group delivered the HTTPSpy remote-access trojan through fake security-software installers and a counterfeit Webex meeting page, and it abused legitimate remote-access services for post-compromise access.

ENKI’s analysis found that Kimsuky set up spoofed installation pages that mimicked South Korean security tools and a B2B messaging service. Victims who downloaded the files executed installers named nos-setup.exe and astx-setup.exe. Those binaries invoked regsvr32 to load a second-stage DLL called MemLoader.dll, ran a batch script that removed initial files, created a scheduled task for persistence, and contacted command-and-control servers for further payloads.

In a separate April campaign, a counterfeit Webex page prompted users to download a script labeled to fix camera access. That script unpacked an encrypted JavaScript file, which launched a PowerShell downloader. The downloader performed anti-analysis checks, fetched a DLL payload, dropped a loader component called cacheMon.dat and launched HTTPSpy. The malicious Webex page also opened a legitimate meeting room that matched an actual scheduled event.

ENKI reported that the attacker used a technique it calls JSONPing, where fake pages query a local server set up by the malware to verify whether the payload is running and to prompt installation if it is not. The analysis also showed the operator monitored recurring GET requests from infected hosts and selectively delivered additional payloads to chosen victims.

HTTPSpy provides remote access functions including running shell commands, transferring files, executing processes, taking screenshots, injecting DLLs into other processes and self-removal. ENKI and other reporting trace HTTPSpy use by Kimsuky back to 2022 and note prior deployments in 2024 against a German defense manufacturer.

Kaspersky’s investigation identified wider tool abuse and newer payloads from late 2025 into 2026. The actor used Visual Studio Code remote tunneling, Cloudflare Quick Tunnels and the DWAgent remote management tool to maintain covert access. Two activity clusters were observed: PebbleDash, focused on remote-control capabilities, and AppleSeed, oriented toward data theft. Newer payloads include a Rust-based HelloDoor and an HttpMalice backdoor. Other components tied to these campaigns include HttpTroy, a loader-based backdoor, and AppleSeed variants that harvest documents, screenshots, keystrokes and connected USB drive listings.

Kaspersky researcher Sojun Ryu commented: ‘Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it.’ The researcher also noted overlapping target sectors that include defense, military, government, medical, machinery and energy.

Security firms recommend that organizations hosting meetings and providing remote access carefully validate installation prompts, monitor tunneling sessions and check for unexpected scheduled tasks.