North Korean Hacker Group Kimsuky Expands Cyber Espionage Campaign Against South Korean Military and Corporate Targets + Video

Listen to this Post

Featured Image

Introduction

The North Korean state-backed cyber espionage group known as Kimsuky, also tracked as Velvet Chollima, has once again intensified its operations against South Korean institutions. Recent investigations reveal a sophisticated wave of cyber attacks carried out during March and April 2026, targeting military personnel, government-linked organizations, defense contractors, and corporate environments.

What makes this campaign especially dangerous is the group’s ability to blend legitimate services with carefully crafted deception techniques. By abusing trusted software installers, fake Webex meeting invitations, and advanced malware delivery systems, Kimsuky continues to evolve into one of the most persistent and adaptive cyber threat actors operating today.

Researchers from ENKI and Kaspersky uncovered a wide collection of tactics, malware variants, and stealth persistence mechanisms that demonstrate how North Korean cyber operations are increasingly leveraging modern technologies, remote administration tools, and even large language models to improve offensive capabilities.

Kimsuky Uses Fake Security Software to Infect Corporate Victims

According to ENKI researchers, Kimsuky launched attacks using counterfeit web pages that impersonated legitimate South Korean security software portals. Victims were tricked into downloading fake installers disguised as trusted applications such as nProtect Online Security and AhnLab Safe Transaction.

The malicious executables, named “nos-setup.exe” and “astx-setup.exe,” looked legitimate on the surface but secretly launched a secondary malware component called “MemLoader.dll” using the Windows utility regsvr32.exe. Shortly after infection, the malware deleted traces of itself from disk to reduce forensic visibility.

Once installed, the malware established persistence through scheduled tasks and contacted remote command-and-control servers to receive additional payloads. Researchers believe the attackers manually monitored infected systems and selectively delivered further malware only to valuable targets.

This suggests that the operation was not a mass malware campaign but rather a highly targeted espionage effort focused on military or strategic personnel.

Fake Webex Meetings Become a New Infection Vector

In a separate April 2026 campaign, Kimsuky created counterfeit Cisco Webex meeting pages to distribute malware. Victims visiting the fake meeting page were shown a pop-up claiming that camera access issues required downloading a fix.

The downloaded ZIP archive contained an encrypted JavaScript file called “fix-camera.jse.” Once executed, the script used PowerShell to deploy an intermediate downloader that performed anti-analysis checks before retrieving the next stage payloads from remote infrastructure.

Eventually, the infection chain deployed HTTPSpy, a highly capable remote access trojan that gives attackers extensive control over infected systems.

The malware can:

Execute shell commands

Upload and download files

Capture screenshots

Inject malicious DLLs into running processes

Remove traces of infection

Run remote processes

Establish persistent remote access

One particularly alarming discovery involved legitimate Webex meeting rooms. Researchers found that the attackers used real meeting schedules connected to actual military or organizational events.

This strongly indicates that Kimsuky may have previously compromised one participant’s account or device to steal meeting schedules and then weaponize them against other attendees.

JSONPing Technique Adds Real-Time Infection Monitoring

One of the most technically interesting elements of the campaign is a mechanism ENKI named “JSONPing.”

The attackers created fake pages capable of querying a local server established by the malware on infected machines using JSONP requests. This allowed attackers to verify whether malware execution succeeded in real time before proceeding with additional payload delivery.

Instead of blindly distributing malware, Kimsuky essentially built a live infection verification system to improve operational success rates.

This level of sophistication highlights how state-sponsored cyber actors increasingly integrate web technologies with malware infrastructure to create adaptive attack ecosystems.

HTTPSpy Continues to Evolve as a Powerful Espionage Tool

HTTPSpy is not new to Kimsuky operations. CrowdStrike previously documented the malware being used against a German defense manufacturer between 2024 and 2025.

The malware first appeared publicly around 2022 and has steadily evolved into a full-featured espionage platform.

Unlike traditional commodity malware, HTTPSpy appears designed for stealthy intelligence gathering and long-term persistence inside strategic networks.

Researchers believe its modular design allows operators to dynamically load capabilities depending on mission requirements, reducing exposure while maximizing flexibility.

What Undercode Says:

Kimsuky Is Operating Like a Mature Intelligence Agency

The latest Kimsuky campaigns reveal a threat actor that no longer relies solely on crude phishing emails or basic malware droppers. The operational discipline displayed here resembles professional intelligence tradecraft more than conventional cybercrime.

Using legitimate Webex meeting schedules indicates prior access to sensitive environments. That means the malware distribution stage may actually represent the second or third phase of a larger espionage operation already in progress.

This is a dangerous escalation.

The Abuse of Legitimate Services Is Becoming the New Normal

One major trend visible in this campaign is the heavy abuse of legitimate infrastructure.

Instead of relying exclusively on suspicious malware servers, Kimsuky is increasingly leveraging:

VS Code Remote Tunneling

Cloudflare Quick Tunnels

DWAgent remote management tools

Legitimate meeting platforms

Trusted security software branding

This dramatically complicates detection because network traffic often appears legitimate to defensive systems.

Traditional antivirus solutions alone are becoming insufficient against modern nation-state operations.

Living-Off-The-Land Techniques Are Expanding

The use of regsvr32.exe, PowerShell, scheduled tasks, and remote management utilities reflects a broader shift toward “living-off-the-land” techniques.

Attackers prefer native Windows components because:

They reduce malware footprint

They bypass security controls

They blend into normal administrator activity

They complicate incident response

Kimsuky clearly understands enterprise security operations and is adapting accordingly.

Rust Malware Development Signals a Technical Shift

The emergence of Rust-based malware like HelloDoor is another significant evolution.

Rust offers multiple advantages for advanced threat actors:

Improved memory safety

Better cross-platform portability

Harder reverse engineering

Lower detection rates

Faster development cycles

Cybersecurity researchers are increasingly observing Rust adoption among ransomware groups and state-sponsored actors alike.

Kimsuky joining this trend suggests North Korean cyber units are modernizing their malware development pipelines aggressively.

LLM-Assisted Malware Development Is a Serious Concern

Kaspersky’s observation that some malware may have been developed with assistance from large language models introduces a troubling dimension.

AI-assisted malware development can potentially:

Accelerate code generation

Improve obfuscation methods

Help inexperienced operators

Automate phishing customization

Enhance social engineering realism

While there is no evidence that AI independently created these malware families, its possible use as a development assistant highlights how cyber warfare is entering a new phase.

Defense and Energy Sectors Remain High-Priority Targets

The overlapping targets across defense, military, machinery, medical, and energy industries show that Kimsuky is focused heavily on strategic intelligence collection rather than financial gain.

This aligns with North Korea’s long-standing cyber doctrine, which prioritizes:

Military intelligence

Political surveillance

Technology acquisition

Defense contractor infiltration

Economic intelligence gathering

The attacks are consistent with espionage objectives rather than destructive cyber warfare.

VS Code Tunneling Is Quietly Becoming a Security Nightmare

The abuse of Microsoft VS Code Remote Tunneling deserves far more attention from enterprise defenders.

Because the feature is legitimate and encrypted, many organizations fail to monitor it properly. Threat actors can establish persistent remote access without deploying traditional command-and-control infrastructure.

This creates massive visibility gaps inside corporate networks.

Security teams may soon need dedicated monitoring rules specifically for developer tools and remote collaboration software.

AppleSeed and PebbleDash Show Continuous Malware Evolution

The continuous modification of AppleSeed, HappyDoor, HttpMalice, and PebbleDash demonstrates that Kimsuky retains active access to its malware source code repositories and development teams.

This is important because many threat groups recycle outdated malware for years without meaningful innovation.

Kimsuky appears to do the opposite.

The group consistently:

Refactors malware

Introduces new persistence methods

Adopts modern programming languages

Expands targeting profiles

Integrates stealth capabilities

Enhances remote control features

That level of sustained evolution reflects long-term institutional investment.

Deep analysis :

Detect suspicious scheduled tasks
schtasks /query /fo LIST /v
Monitor regsvr32 abuse
Get-WinEvent -LogName Security | findstr regsvr32
Detect PowerShell encoded commands
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
Hunt for VS Code tunnel processes
tasklist | findstr code.exe
Detect Cloudflare tunnel services
netstat -ano | findstr 7844
Analyze persistence registry keys
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Monitor suspicious DLL loading
Process Monitor (Procmon)
Detect outbound C2 traffic
tcpdump -i eth0 host suspicious-domain.com
Memory analysis for injected payloads
volatility -f memory.raw malfind
YARA rule example
rule Kimsuky_HTTPSpy {
strings:
$s1 = "HTTPSpy"
$s2 = "cacheMon.dat"
$s3 = "spyInster.dll"
condition:
any of them
}
🔍 Fact Checker Results

✅ ENKI and Kaspersky both documented recent Kimsuky campaigns targeting South Korean sectors during 2026.

✅ HTTPSpy is a real malware family previously linked to attacks against defense-related organizations in Europe and Asia.

❌ There is currently no public evidence proving autonomous AI-generated malware, although researchers suspect LLM assistance in parts of the development workflow.

📊 Prediction

Kimsuky will likely expand the abuse of legitimate collaboration tools such as Zoom, Teams, and Slack for future malware delivery.

Rust-based malware development among nation-state actors will continue increasing throughout 2026 due to improved stealth and portability.

Security vendors will begin monitoring VS Code Remote Tunneling and developer-focused remote access tools as high-risk persistence vectors.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube