偽のセキュリティソフト配布ページが、被害者のPCでマルウェアが動いているかをリアルタイムで確認し、動いていなければ再びインストールを促す手口が報告されています。北朝鮮系のKimsukyが韓国の軍・企業を狙い2026年3〜4月にかけて確認されたキャンペーンで、「JSONPing」と名付けられています。配布ページが、マルウェア自身が被害者PC上に立てたローカルサーバーへJSONPで問い合わせ、稼働の有無を確かめる仕組みとのこと。 韓国製セキュリティソフトの偽装自体は2023年から続く手口ですが、今回は配信ページへの稼働確認の組み込みや、盗んだ実在の会議予定を使った出席者への拡散など、配信を確実にするための作り込みが加わっています。 【要点の整理】 ・JSONPing：偽の配布ページが、マルウェアの立てたローカルサーバーへJSONPで問い合わせ、実行中かをリアルタイム判定。未実行なら再度インストールを促し、配信の成功率を高める狙いとされる ・Webex偽装で確認された最終ペイロードは遠隔操作型のHTTPSpy。従来の単一バイナリ型から「インストーラー→ローダー→HTTPSpy」の3段構成に作り替えられたとされる ・Webex偽装では、本物の会議室につながる偽ページを使用。攻撃者が関係者の端末やアカウントを侵害して実在の会議予定を入手したとみられ、同じ会議の出席者へマルウェアを配ったとされる ・HTTPSpyはシェル実行、ファイル送受信、スクリーンショット、指定プロセスへのDLLパス注入、自己消去などに対応 ・別途Kasperskyは、VS CodeのリモートトンネルやDWAgent、Cloudflareのトンネルサービスといった正規の仕組みを悪用して遠隔操作や通信の隠蔽を行う手口や、LLMで開発したとみられるRust製バックドア「HelloDoor」なども報告 詳細は以下を参照： enki.co.kr/en/media-center/b…

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels thehackernews.com/2026/05/ki…

⚠️ HTTPSpy, HelloDoor, and VS Code Tunnels Enter Kimsuky’s Playbook thehackernews.com/2026/05/ki… Kimsuky, a North Korea-linked threat actor, is changing tactics. Recent campaigns used fake South Korean security software pages, a fake Webex page built around a real meeting schedule, and payloads leading to HTTPSpy. Their toolkit also keeps expanding: HelloDoor, HttpMalice, HttpTroy, AppleSeed, HappyDoor, VS Code tunnels, Cloudflare Quick Tunnels, and DWAgent. It’s a mix of custom malware and legitimate remote access tooling. #ThreatIntelligence #Kimsuky #CyberSecurity #InfoSec

Kimsuky targeted South Korean military and firms with fake security pages and Webex lures, deploying HTTPSpy and expanding into HelloDoor, HttpMalice, and VS Code tunneling. #SouthKorea #Kimsuky #HTTPSpy ift.tt/mhWPSyd

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels thehackernews.com/2026/05/ki…

⚠️ Kimsuky is hitting South Korean military and corporate targets with HTTPSpy RAT through fake security software pages and spoofed Webex meetings. The group is also expanding its arsenal with HelloDoor backdoor and VS Code tunneling for stealthier attacks. Read full report: thehackernews.com/2026/05/ki…

Kimsuky APT evolves its arsenal with "HelloDoor," a new Rust-based backdoor, and hijacks trusted VSCode Remote Tunneling to bypass corporate firewalls. #Kimsuky #ThreatIntel #RustLang #VSCode #CloudSecurity #InfoSec #CyberSecurity #APT43 #MalwareAnalysis securityonline.info/kimsuky-…

Kimsuky 🇰🇷 deploys new Rust-based HelloDoor backdoor and VSCode tunneling, expanding PebbleDash arsenal with AI-assisted code development and legitimate remote access abuse. Korean-speaking APT group continues evolving tactics with multiple malware clusters targeting defense and government sectors across South Korea 🇰🇷, Brazil 🇧🇷, and Germany 🇩🇪: • HelloDoor: First Rust-coded PebbleDash variant uses Cloudflare Quick Tunnels for C2 (female-disorder-beta-metropolitan.trycloudflare[.]com), contains LLM-generated comments with emojis • httpMalice: Latest backdoor variant with ChaCha20 encryption, creates "CacheDB" service for persistence, gathers GPKI certificates from C:\GPKI directory • VSCode abuse: JSE droppers install legitimate Visual Studio Code CLI, establish "bizeugene" tunnels via GitHub auth to bypass traditional C2 detection • MemLoad V3: Downloads httpTroy payload reflectively, creates scheduled tasks "ChromeCheck"/"EdgeCheck" for persistence (T1053.005) • DWAgent deployment: Installs remote admin tool with pre-configured accounts for covert access Hunt for regsvr32.exe spawning from JSE files, scheduled tasks with "Check" naming patterns, and unexpected VSCode CLI processes in C:\Users\Public. Monitor for ChaCha20 encryption artifacts and connections to *.trycloudflare[.]com domains. #DFIR_Radar

There's no day better than a #bookbirthday. I couldn't be more proud of this sequel to #hellodoor from @AlisaCoburn and @littlebeebooks that releases today! Early Christmas presents are the best... alastairheim.com/books#/hell…

Keep an eye out, there's a sly fox saying 'hello' to everything! In #HelloDoor, by @alastairheim and illustrated by @AlisaCoburn a fox sneaks into a house and wreaks havoc! See his shenanigans continue when the sequel, #HelloTree comes out this September. #BeeAReader🐝

That mischievous Foxy from #HelloDoor is back on September 6th (as sneaky as ever) in a holiday sequel called #HelloTree! An absolutely sincere thank you to @AlisaCoburn for the heart, humor, charm, and stunning illustrations she created. We can't wait for everyone to see it!

People often ask me what the best part about being a picture book author is and, for me, it's when you find out a child loves your book. #hellodoor @littlebeebooks

#hellodoor #sequel #hellotree #picturebook #kidlit #fall2022 #foxychristmas #christmas @ksonnack @alisacoburn @littlebeebooks

And when he had stolen enough, of the Bear family’s valuable stuff, the BEARS caught him leaving, and stopped all his thieving, and tossed that Fox out in a huff... #HelloDoor #RevealTomorrowNight @littlebeebooks @KSonnack @AlisaCoburn alastairheim.com/books#/hell…

He eagerly jumped at the chance, to pilfer some prize-winning plants… and a renaissance bear (who looked quite debonair) in his fluffy and fancy red pants… #HelloDoor #StayTuned #MoreToCome @littlebeebooks @KSonnack @AlisaCoburn alastairheim.com/books#/hell…

There once was a sneaky red FOX, who LOVED to steal jewels by the box. From diamonds to rings, he wore sparkly things, from his head to his foxy black socks… #HelloDoor #StayTuned #MoreToCome @littlebeebooks @KSonnack @AlisaCoburn alastairheim.com/books#/hell…

#HelloDoor, by @alastairheim and illustrated by @AlisaCoburn, follows a clever fox as he creeps around, collecting fine art, jewelry, and more in a house that is not his. He's on his way out with his loot when the bears that own the house return! 🦊🐻🐻🐻 #BeeAReader 🐝

Benedict Cumberbatch reads #HelloDoor in the voice of Smaug. Dramatically ups the stakes and takes the story to a whole new level. #PBChat

My book #HelloDoor was an title I came up with in 2012...wrote it in my idea journal and didn't write the actual story until 2016. It was because of that "3 Titles Per Day" exercise that the book exists (and, of course, because Little Bee was kind enough to publish it). #PBChat

Funny you all bring this up. Been looking at this recently as well. Most systems are just contact relays. The big gap is bringing it in to Teams, especially with Video. HelloDoor does the Audio really nicely but I haven't found one that works with video.