Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

Staff Editor 2026-05-29
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html

Publish Date: 2026-05-29 01:57:00

Source Domain: thehackernews.com

The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026.

“Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule,” ENKI said in an analysis published this week.

The attacks have been found to deliver a variant of a known malware family dubbed HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023.

In the latest campaign observed in March 2026, the adversary has been found to propagate malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service. Given the nature of the lure, it’s suspected that the activity may have been specifically designed to single out messaging administrators within corporate environments.

The page claims to offer two security tools: a firewall and a keyboard security program. Once unsuspecting users initiate the download, it results in the download of either of the two executables – “nos-setup.exe” and “astx-setup.exe” – that masquerade as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in the name, the malicious behavior embedded in them is identical.

The primary responsibility of the binaries is to launch a second-stage DLL payload (“MemLoader.dll”) via “regsvr32.exe,” after which a batch script is run to delete themselves from disk. The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.

“The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims,” ENKI said.

In…

Source

More Stories

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06
Franklin Student is a Cyber Security Champ at Bridgewater State

Franklin Student is a Cyber Security Champ at Bridgewater State

Staff Editor 2026-06-06
CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy