Per The Hacker News, North Korean state-sponsored threat actor Kimsuky has been linked to a series of sophisticated cyberattacks against South Korean military and corporate entities during March and April 2026, employing novel social engineering tactics and advanced malware.Kimsuky, also known as Velvet Chollima, utilized spoofed security software installation pages and fake Webex meeting invitations to deliver malware. A variant of the HTTPSpy remote access trojan was disguised as legitimate security software installers, a tactic consistently used by the group since 2023. In one campaign, malicious payloads were distributed through a fake webpage impersonating a B2B messaging service's security software installer, targeting messaging administrators. In another, a counterfeit Cisco Webex page tricked victims into downloading an encrypted JavaScript file, leading to the deployment of the HTTPSpy RAT.Kimsuky also leveraged Visual Studio Code tunneling and Cloudflare Quick Tunnels for covert remote access, bypassing traditional command-and-control channels. The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction. These evolving tactics highlight Kimsuky's adaptability and persistent threat to various sectors in South Korea, including defense, government, and healthcare.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




