{"id":260974,"date":"2026-05-29T01:57:00","date_gmt":"2026-05-29T05:57:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/29\/kimsuky-deploys-httpspy-expands-arsenal-with-hellodoor-and-vs-code-tunnels\/"},"modified":"2026-06-01T08:55:07","modified_gmt":"2026-06-01T12:55:07","slug":"kimsuky-deploys-httpspy-expands-arsenal-with-hellodoor-and-vs-code-tunnels","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/29\/kimsuky-deploys-httpspy-expands-arsenal-with-hellodoor-and-vs-code-tunnels\/","title":{"rendered":"Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html\">Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels<\/a><\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html\">https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-29 01:57:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026.<\/p>\n<p>&#8220;Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule,&#8221; ENKI said in an analysis published this week.<\/p>\n<p>The attacks have been found to deliver a variant of a known malware family dubbed HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023.<\/p>\n<p>In the latest campaign observed in March 2026, the adversary has been found to propagate malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service. Given the nature of the lure, it&#8217;s suspected that the activity may have been specifically designed to single out messaging administrators within corporate environments.<\/p>\n<p>The page claims to offer two security tools: a firewall and a keyboard security program. Once unsuspecting users initiate the download, it results in the download of either of the two executables &#8211; &#8220;nos-setup.exe&#8221; and &#8220;astx-setup.exe&#8221; &#8211; that masquerade as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in the name, the malicious behavior embedded in them is identical.<\/p>\n<p>The primary responsibility of the binaries is to launch a second-stage DLL payload (&#8220;MemLoader.dll&#8221;) via &#8220;regsvr32.exe,&#8221; after which a batch script is run to delete themselves from disk. The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.<\/p>\n<p>&#8220;The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims,&#8221; ENKI said.<\/p>\n<p>In&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels https:\/\/thehackernews.com\/2026\/05\/kimsuky-deploys-httpspy-expands-arsenal.html Publish Date: 2026-05-29&#8230;<\/p>\n","protected":false},"author":1,"featured_media":260976,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjJfUl1K-os1XyLN-SBt6PgMia_jFG03ArRa3H0FI2hsiUqNa3lqSWY2NJcvOhY33TArSKJxeookUpkATdERUpEwKw-IUi6iv9ZVuUq4c1A99mLwgQB4ibCxBx4MBR1XXmM98zH7v-QWDO7bhh1AONQ8Op0htvwHhuivwI1Cch9rgLPO-zSGCjjQbvXdDte\/s1600\/north-korea.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,34],"class_list":["post-260974","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260974"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=260974"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260974\/revisions"}],"predecessor-version":[{"id":260979,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260974\/revisions\/260979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/260976"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=260974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=260974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=260974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}