Kimsuky
-
Kimsuky uses fake Webex pages and HTTPSpy in South Korea attacks
Kimsuky targeted South Korean military and corporate entities in March and April 2026 with fake security pages, counterfeit Webex lures and a new HTTPSpy malware variant, according to technical analyses from ENKI and Kaspersky.
-
DPRK-linked hackers use GitHub as command hub in South Korea attacks
DPRK-linked hackers used GitHub as command and control infrastructure in attacks on South Korean organizations, Fortinet said. The campaigns relied on LNK files, PowerShell, persistence tasks and trusted cloud services to hide activity.
-
FBI warns Kimsuky used malicious QR codes in 2025 quishing campaigns
An FBI flash alert warned that North Korea linked group Kimsuky used malicious QR codes in 2025 spear phishing to target think tanks, academia, and government entities. The attacks aimed to steal session tokens and bypass multi factor authentication.
-
Kimsuky campaign uses QR codes to deliver DocSwap Android malware, South Korean firm says
South Korean firm ENKI linked the North Korean actor Kimsuky to a campaign distributing a DocSwap Android trojan via QR codes on phishing sites impersonating CJ Logistics; the malware decrypts an embedded APK, registers a RAT service and accepts many remote commands.
-
UK’s NCSC pilots Proactive Notifications to warn organisations of exposed devices
The UK’s National Cyber Security Centre has begun piloting Proactive Notifications, a Netcraft-delivered service that scans public internet data to warn organisations about exposed devices and recommend updates; it complements the NCSC’s Early Warning alerts but is not a replacement and has no announced end to the pilot phase.
-
UK introduces Cyber Security and Resilience Bill to bolster critical infrastructure defenses
The UK government has introduced the Cyber Security and Resilience Bill to tighten protections for hospitals, energy, water and transport systems, build on the NIS Regulations, require managed service providers to meet security standards and report major incidents quickly, and impose turnover-based penalties for serious breaches.
-
North Korea‑linked Kimsuky uses HttpTroy backdoor in spear‑phishing attack on South Korea
Security vendor Gen Digital said DPRK‑linked Kimsuky used a ZIP‑based spear‑phishing lure to deliver a three‑stage malware chain culminating in a new HttpTroy backdoor that provides extensive remote control and uses layered obfuscation.
-
Renault and Dacia inform UK customers of data exposure after third‑party breach
Renault and Dacia told UK customers that personal data held by a third‑party provider was taken in a cyberattack, exposing names, contact details and vehicle identifiers; Renault said banking data was not exposed and declined to name the supplier or say how many customers were affected.
-
North Korea-linked hackers used AI-generated fake military ID in espionage campaign, researchers say
Researchers say North Korea’s Kimsuky used a deepfaked image of a military ID generated with ChatGPT to launch a July spear-phishing campaign against a South Korean defense-related institution, highlighting AI-assisted espionage tactics and the ongoing challenges of AI misuse.
-
State-sponsored XenoRAT campaign targets South Korean embassies, researchers say
A Trellix-led analysis describes a multi-phase, state-sponsored XenoRAT espionage campaign targeting South Korean embassies, with links to North Korea’s Kimsuky and indications of possible China-based sponsorship. The operation has conducted at least 19 spearphishing attacks since March, delivering XenoRAT via password-protected ZIP archives and complex, multilingual lures.
