⚠️ HTTPSpy, HelloDoor, and VS Code Tunnels Enter Kimsuky’s Playbook thehackernews.com/2026/05/ki… Kimsuky, a North Korea-linked threat actor, is changing tactics. Recent campaigns used fake South Korean security software pages, a fake Webex page built around a real meeting schedule, and payloads leading to HTTPSpy. Their toolkit also keeps expanding: HelloDoor, HttpMalice, HttpTroy, AppleSeed, HappyDoor, VS Code tunnels, Cloudflare Quick Tunnels, and DWAgent. It’s a mix of custom malware and legitimate remote access tooling. #ThreatIntelligence #Kimsuky #CyberSecurity #InfoSec

Kimsuky 🇰🇷 deploys new Rust-based HelloDoor backdoor and VSCode tunneling, expanding PebbleDash arsenal with AI-assisted code development and legitimate remote access abuse. Korean-speaking APT group continues evolving tactics with multiple malware clusters targeting defense and government sectors across South Korea 🇰🇷, Brazil 🇧🇷, and Germany 🇩🇪: • HelloDoor: First Rust-coded PebbleDash variant uses Cloudflare Quick Tunnels for C2 (female-disorder-beta-metropolitan.trycloudflare[.]com), contains LLM-generated comments with emojis • httpMalice: Latest backdoor variant with ChaCha20 encryption, creates "CacheDB" service for persistence, gathers GPKI certificates from C:\GPKI directory • VSCode abuse: JSE droppers install legitimate Visual Studio Code CLI, establish "bizeugene" tunnels via GitHub auth to bypass traditional C2 detection • MemLoad V3: Downloads httpTroy payload reflectively, creates scheduled tasks "ChromeCheck"/"EdgeCheck" for persistence (T1053.005) • DWAgent deployment: Installs remote admin tool with pre-configured accounts for covert access Hunt for regsvr32.exe spawning from JSE files, scheduled tasks with "Check" naming patterns, and unexpected VSCode CLI processes in C:\Users\Public. Monitor for ChaCha20 encryption artifacts and connections to *.trycloudflare[.]com domains. #DFIR_Radar

#Lazarus DeceptiveDevelopment (NVIDIA-themed credential harvesting), and evolving tools such as BADCALL (new Linux variant with logging to /tmp/sslvpn.log) and BLINDINGCAN (enhanced obfuscation). #Kimsuky Focuses on espionage with tools like HttpTroy backdoor and MemLoad loader, often via themed lures (e.g., VPN invoices). Shared TTPs include open directories for tool staging, FRP (Fast Reverse Proxy) tunneling for C2, credential theft kits, and VPS provider reuse. Some infrastructure links to Bluenoroff (APT38) #iocs hunt.io/blog/dprk-lazarus-ki…

🚨 #Kimsuky #APT Activity Update We’ve been tracking the evolution of Kimsuky’s tooling, and based on our findings, we established the following approximate timeline: 📌 May 2024 A new Golang dropper, reported by CyberArmor, was observed deploying #HttpSpy backdoor. 📌 March 2025 Introduction of #Memloader_V2, an intermediate loader reported by @RedDrip7. This loader was delivered by the Golang dropper. We could not obtain the next-stage payload, but we suspect it to be #HttpSpy. 📌 September 2025 A new loader version, #Memloader_V3, surfaced, reported by @GenThreatLabs, alongside a new backdoor, #HttpTroy, which shares code similarities with #HttpSpy. 📝 Note 1: We identified multiple variants of the #HttpSpy backdoor with varying code structures and obfuscation levels, complicating tracking. We also observed functional overlap between #HttpTroy and older #HttpSpy samples (the former exhibiting even heavier obfuscation). 📝 Note 2: These families have been tracked under different names across the community due to their evolving codebases. Using our code similarity engine, we consolidated them into four families. We opted to use the internal names embedded in the binaries, which helped us more accurately track and cluster the payloads. 🧬 We crafted #YARA rules to hunt for the Golang dropper and Memloader. Find the rules and #IOCs here: github.com/threatray/threat-…

DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant October 30, 2025, Gen Digital | Czech Republic gendigital.com/blog/insights…

🚩 New HttpTroy Backdoor Poses as VPN Invoice, Linked to Kimsuky thehackernews.com/2025/11/ne… Researchers say Kimsuky delivered a previously undocumented backdoor called HttpTroy via a spear-phishing lure that mimics a VPN invoice, targeting at least one victim in South Korea. The implant uses HTTP-based callbacks to blend with normal web traffic and likely supports data theft and persistence. Hunt for unusual HTTP POSTs from user endpoints, inspect mail attachments that claim to be VPN invoices, and scan for newly created services or scheduled tasks after such opens. #ThreatHunting #Malware

⚠️ New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea thehackernews.com/2025/11/ne… The North Korea-linked threat actor Kimsuky delivered a multi-stage implant dubbed “HttpTroy” via a ZIP-file phishing lure disguised as a VPN invoice. The chain begins with a Golang dropper, loader “MemLoad,” and final backdoor deploying via scheduled tasks named “AhnlabUpdate”, capturing screenshots, files, and executing arbitrary commands. #ThreatHunting #APT #CyberSecurity

Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users: bit.ly/495lLc2 by Robert Lemos #DRGlobal

Dark Reading | #Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users darkreading.com/vulnerabilit…

Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users darkreading.com/vulnerabilit…

DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant reddit.com/r/blueteamsec/com…

新バックドア「HttpTroy」が韓国企業を狙ったフィッシング攻撃で使用。VPN請求書を装ったZIPから侵入し、ファイル転送・スクリーン取得・コマンド実行が可能との報告。#HttpTroy #Kimsuky #マルウェア #サイバー攻撃 thehackernews.com/2025/11/ne…

Members of Gen Digital Threat Labs uncover two new DPRK toolsets - Kimsuky’s HttpTroy backdoor and Lazarus’s upgraded BLINDINGCAN remote access tool - and explain how these tools work. gendigital.com/blog/insights…

北朝鮮系の脅威グループKimsukyが、新たに確認されたバックドアHttpTroyを使い、韓国の単独被害者を狙った精巧なフィッシング攻撃を成功させ、攻撃は巧妙なファイル名偽装と三段階の実行チェーンを利用している。 ZIP添付のスクリーンセーバー（SCR）を起点に、Golangドロッパー→ローダー（MemLoad）→DLL型バックドアHttpTroyの三段階で展開。MemLoadは「AhnlabUpdate」のスケジュールタスクで永続化し、HttpTroyを復号・実行する。HttpTroyはファイル送受信、スクリーンショット、権限昇格でのコマンド実行、インメモリ実行、リバースシェル、プロセス終了、痕跡消去などを行い、HTTP POSTでC2と通信する。文字列やAPI呼び出しはXORやSIMD、カスタムハッシュで難読化され、解析を阻害する。 thehackernews.com/2025/11/ne…

New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea thehackernews.com/2025/11/ne…

New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea thehackernews.com/2025/11/ne…

⚠️ North Korea’s Kimsuky just dropped a new backdoor — HttpTroy — hidden in a fake VPN invoice. It shows a decoy PDF, sets a fake “AhnlabUpdate” task, and rebuilds code on the fly to dodge detection. Details ↓ thehackernews.com/2025/11/ne…

최근 몇 주 동안 저희 위협 연구소(Threat Labs) 연구원들은 북한의 작전이 얼마나 적응력이 뛰어난지를 보여주는 두 가지 새로운 툴셋을 발견했습니다. 첩보 활동으로 유명한 Kimsuky는 저희가 HttpTroy 라고 명명한 새로운 백도어를 배포했고, Lazarus는 BLINDINGCAN 원격 접속 도구 의 업그레이드 버전을 선보였습니다 .

#kimsuky Malware HttpTroy #lazarus BLINDINGCAN remote access tool upgraded version gendigital.com/blog/insights…

Kimsuky uses ZIP lures and a Go dropper (XOR decryption) with MemLoad persistence via scheduled task to deliver HttpTroy, which loads in memory and uses HTTP POST obfuscated with XOR Base64.