مجموعة “Kimsuky”توسّع ترسـ...ـانته السيبرانية عبر HTTPSpy وHelloDoor واستغلال VS Code Tunnels التفاصيل .. url-shortener.me/MXDW #مركز_الأمن_السيبراني_للابحاث_والدراسات

Read our Kimsuky HttpSpy malware analysis. Discover how the group utilizes a novel JSONPing method and fake Webex portals to target endpoints. #Kimsuky #HttpSpy #MalwareAnalysis #Cybersecurity #ThreatIntel #InfoSec meterpreter.org/kimsuky-http…

Kimsuky (aka Velvet Chollima), a North Korean state-sponsored threat actor, has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. With the attacks found to deliver a variant of a known malware family dubbed `HTTPSpy` by disguising itself as installers from South Korean security software. `HTTPSpy` is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint. This is not the first time Kimsuky has deployed `HTTPSpy`. In its 2025 European Threat Landscape Report, CrowdStrike said the hacking group likely targeted a German defense manufacturer's employees via a credential phishing campaign deploying the malware between May 2024 and at least September 2024. The first use of `HTTPSpy` dates back to 2022. Propagation of the malicious payload spread through a fake web page impersonating the security software installation page of a South Korean B2B messaging service. Given the nature of the lure, it's suspected that the activity may have been specifically designed to single out messaging administrators within corporate environments. #kimsuky #Malware #CyberSecurity #CybersecurityNews #ThreatIntel thehackernews.com/2026/05/ki…

偽のセキュリティソフト配布ページが、被害者のPCでマルウェアが動いているかをリアルタイムで確認し、動いていなければ再びインストールを促す手口が報告されています。北朝鮮系のKimsukyが韓国の軍・企業を狙い2026年3〜4月にかけて確認されたキャンペーンで、「JSONPing」と名付けられています。配布ページが、マルウェア自身が被害者PC上に立てたローカルサーバーへJSONPで問い合わせ、稼働の有無を確かめる仕組みとのこと。 韓国製セキュリティソフトの偽装自体は2023年から続く手口ですが、今回は配信ページへの稼働確認の組み込みや、盗んだ実在の会議予定を使った出席者への拡散など、配信を確実にするための作り込みが加わっています。 【要点の整理】 ・JSONPing：偽の配布ページが、マルウェアの立てたローカルサーバーへJSONPで問い合わせ、実行中かをリアルタイム判定。未実行なら再度インストールを促し、配信の成功率を高める狙いとされる ・Webex偽装で確認された最終ペイロードは遠隔操作型のHTTPSpy。従来の単一バイナリ型から「インストーラー→ローダー→HTTPSpy」の3段構成に作り替えられたとされる ・Webex偽装では、本物の会議室につながる偽ページを使用。攻撃者が関係者の端末やアカウントを侵害して実在の会議予定を入手したとみられ、同じ会議の出席者へマルウェアを配ったとされる ・HTTPSpyはシェル実行、ファイル送受信、スクリーンショット、指定プロセスへのDLLパス注入、自己消去などに対応 ・別途Kasperskyは、VS CodeのリモートトンネルやDWAgent、Cloudflareのトンネルサービスといった正規の仕組みを悪用して遠隔操作や通信の隠蔽を行う手口や、LLMで開発したとみられるRust製バックドア「HelloDoor」なども報告 詳細は以下を参照： enki.co.kr/en/media-center/b…

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels thehackernews.com/2026/05/ki…

⚠️ HTTPSpy, HelloDoor, and VS Code Tunnels Enter Kimsuky’s Playbook thehackernews.com/2026/05/ki… Kimsuky, a North Korea-linked threat actor, is changing tactics. Recent campaigns used fake South Korean security software pages, a fake Webex page built around a real meeting schedule, and payloads leading to HTTPSpy. Their toolkit also keeps expanding: HelloDoor, HttpMalice, HttpTroy, AppleSeed, HappyDoor, VS Code tunnels, Cloudflare Quick Tunnels, and DWAgent. It’s a mix of custom malware and legitimate remote access tooling. #ThreatIntelligence #Kimsuky #CyberSecurity #InfoSec

Kimsuky targeted South Korean military and firms with fake security pages and Webex lures, deploying HTTPSpy and expanding into HelloDoor, HttpMalice, and VS Code tunneling. #SouthKorea #Kimsuky #HTTPSpy ift.tt/mhWPSyd

【サイバーセキュリティ動向分析】 トレンドのセキュリティニュース（2026年5月下旬時点） 主なトピック：AI活用攻撃の増加、データ侵害、脆弱性悪用、企業セキュリティ投資など。 securityweek.com 1 Carnival Data Breach（約600万人影響）：securityweek.com/ Russia-Linked ‘GreyVibe’ AttackersがAIで攻撃強化：securityweek.com/ KimsukyがHTTPSpyなど新ツール展開：thehackernews.com/ Critical FortiClient EMS脆弱性悪用（Credential Stealer展開）：thehackernews.com/ Critical Gogs RCE Vulnerability：thehackernews.com/ IBMがオープンソース脆弱性対策に$5B投資：cybersecuritydive.com/ AnthropicのClaude Mythosが1万件以上の脆弱性を発見：itmedia.co.jp/news/subtop/se… GitHub内部リポジトリ不正アクセス調査中：itmedia.co.jp/news/subtop/se… Microsoft Defender脆弱性（権限昇格/DoS）：security-next.com/ Zscaler株価急落（競争激化とガイダンス）：cnbc.com/cybersecurity/ CrowdStrike 2026 Global Threat Report（AI攻撃89%増など）：crowdstrike.com/en-us/global… 日本関連 複数ソフト改ざん被害（正規ルート流通）：security-next.com/ 企業サーバー不正アクセス事例（ソディックなど）：cybersecurity-jp.com/news その他の主要ソース The Hacker News：thehackernews.com/ SecurityWeek：securityweek.com/ CISA Advisories：cisa.gov/news-events/cyberse… Security NEXT（日本）：security-next.com/ Cybersecurity Dive：cybersecuritydive.com/

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels thehackernews.com/2026/05/ki…

⚠️ Kimsuky is hitting South Korean military and corporate targets with HTTPSpy RAT through fake security software pages and spoofed Webex meetings. The group is also expanding its arsenal with HelloDoor backdoor and VS Code tunneling for stealthier attacks. Read full report: thehackernews.com/2026/05/ki…

Callback Verification Routine in Phishing Pages xxxx/recaptcha.html -> secure./personcheck.o-r.kr ref: Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant enki.co.kr/en/media-center/b…

ENKI Whitehat analyses recent Kimsuky cases targeting South Korean military & corporate organizations. Tailored social engineering was used, including spoofed security software install pages & a fake Webex meeting page, alongside a 3-stage HttpSpy chain. enki.co.kr/en/media-center/b…

"Kimsuky의 고도화된 공격 기법 분석: JSONPing, Webex 사칭, 그리고 새로운 HttpSpy 변종" published by @ENKI_official_X. #HttpSpy, #JSONPing, #Kimsuky, #DPRK, #CTI

"Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant" published by @ENKI_official_X. #HttpSpy, #JSONPing, #Kimsuky, #DPRK, #CTI

Through April 2026, ENKI WhiteHat detected Kimsuky campaigns targeting South Korean military and corporate sectors. The threat actor used spoofed security software pages and fake Webex meeting pages for malware delivery, while employing a new "JSONPing" technique to verify infections in real time. Our findings include a new three-stage HttpSpy infection chain and multiple links to Kimsuky. Read our in-depth report and attribution analysis: enki.co.kr/en/media-center/b…

🚨 #Kimsuky #APT Activity Update We’ve been tracking the evolution of Kimsuky’s tooling, and based on our findings, we established the following approximate timeline: 📌 May 2024 A new Golang dropper, reported by CyberArmor, was observed deploying #HttpSpy backdoor. 📌 March 2025 Introduction of #Memloader_V2, an intermediate loader reported by @RedDrip7. This loader was delivered by the Golang dropper. We could not obtain the next-stage payload, but we suspect it to be #HttpSpy. 📌 September 2025 A new loader version, #Memloader_V3, surfaced, reported by @GenThreatLabs, alongside a new backdoor, #HttpTroy, which shares code similarities with #HttpSpy. 📝 Note 1: We identified multiple variants of the #HttpSpy backdoor with varying code structures and obfuscation levels, complicating tracking. We also observed functional overlap between #HttpTroy and older #HttpSpy samples (the former exhibiting even heavier obfuscation). 📝 Note 2: These families have been tracked under different names across the community due to their evolving codebases. Using our code similarity engine, we consolidated them into four families. We opted to use the internal names embedded in the binaries, which helped us more accurately track and cluster the payloads. 🧬 We crafted #YARA rules to hunt for the Golang dropper and Memloader. Find the rules and #IOCs here: github.com/threatray/threat-…

Tengo una que se llama @httpsparnenzini httpspy créeme que es peor