The North Korean state-sponsored group Kimsuky, also known as Velvet Chollima, has been linked to a series of cyber attacks aimed at South Korean military and corporate sectors during March and April 2026. These attacks have employed advanced social engineering tactics, including the spoofing of security software installation pages and the creation of fake Webex meeting pages.
Malware Delivery Techniques
In its latest operations, Kimsuky has utilized a variant of malware called HTTPSpy, disguising it as legitimate software installers from South Korean security vendors. This tactic has been a consistent strategy for the group since 2023. In one observed campaign, the threat actor propagated malicious payloads through a counterfeit web page that mimicked the installation page of a South Korean B2B messaging service. This page offered downloads for two supposed security tools, which were actually malicious executables named nos-setup.exe and astx-setup.exe.
Execution and Persistence Mechanisms
Once downloaded, these executables execute a secondary payload, MemLoader.dll, via regsvr32.exe. This DLL establishes persistence on the infected system through a scheduled task and connects to a command-and-control (C2) server to retrieve further instructions. The malware’s behavior indicates that Kimsuky is selectively delivering payloads based on monitored GET requests from the infected systems.
Additional Campaigns and Techniques
Another campaign in April 2026 involved a fake Cisco Webex page that prompted users to download a script to fix camera issues. This script led to the deployment of an intermediate downloader, which then fetched additional malware, including engine.dat and spyInster.dll. The final stage of this attack involved executing HTTPSpy, a comprehensive remote access trojan capable of executing commands, capturing screenshots, and more.
Evolution of Kimsuky’s Tactics
Kaspersky has reported that Kimsuky has also been leveraging legitimate tools such as Microsoft Visual Studio Code (VS Code) for tunneling, along with other technologies like Cloudflare Quick Tunnels and the Rust programming language. The group has been adapting its methods, employing various malware families including HelloDoor and AppleSeed, which have targeted both public and private sectors in South Korea. These developments highlight Kimsuky’s evolving capabilities and its focus on data exfiltration and advanced remote control functionalities.
As Kimsuky continues to refine its tactics, the implications for cybersecurity in affected sectors remain significant, particularly given the actor’s ability to craft sophisticated phishing schemes and utilize legitimate software for malicious purposes.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
