Threat Intelligence

North Korean hackers Kimsuky target South Korea with new malware variants

Per The Hacker News, North Korean state-sponsored threat actor Kimsuky has been linked to a series of sophisticated cyberattacks against South Korean military and corporate entities during March and April 2026, employing novel social engineering tactics and advanced malware.

Kimsuky, also known as Velvet Chollima, utilized spoofed security software installation pages and fake Webex meeting invitations to deliver malware. A variant of the HTTPSpy remote access trojan was disguised as legitimate security software installers, a tactic consistently used by the group since 2023. In one campaign, malicious payloads were distributed through a fake webpage impersonating a B2B messaging service's security software installer, targeting messaging administrators. In another, a counterfeit Cisco Webex page tricked victims into downloading an encrypted JavaScript file, leading to the deployment of the HTTPSpy RAT.

Kimsuky also leveraged Visual Studio Code tunneling and Cloudflare Quick Tunnels for covert remote access, bypassing traditional command-and-control channels. The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction. These evolving tactics highlight Kimsuky's adaptability and persistent threat to various sectors in South Korea, including defense, government, and healthcare.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds