top of page
Buscar

The Tunnel Behind the Meeting

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 24 horas
  • 5 min de lectura

North Korea’s Kimsuky threat group continues to evolve beyond traditional phishing and malware delivery techniques. Recent campaigns observed during March and April 2026 demonstrate a mature espionage operation that combines convincing social engineering, custom malware families, legitimate remote administration technologies, and innovative persistence mechanisms. By impersonating trusted South Korean security products and legitimate Cisco Webex meetings, the group successfully targeted military organizations, government entities, and private-sector companies in a campaign designed to maximize infection rates while minimizing detection.

What makes these operations particularly concerning is the combination of well-established espionage tactics with newer approaches such as VS Code Remote Tunneling, Cloudflare Quick Tunnels, DWAgent, Rust-based malware, and even the apparent use of large language models during malware development. The result is a flexible and adaptive toolkit capable of maintaining long-term access to sensitive environments while continuously harvesting valuable intelligence.


Phase 1: Building Trust Through Deception

 

The attack begins with carefully crafted social engineering campaigns designed to exploit trust rather than technical vulnerabilities. Kimsuky created counterfeit websites impersonating legitimate South Korean security software vendors and corporate communication platforms.

One campaign targeted messaging administrators by mimicking the installation portal of a South Korean B2B messaging service. Visitors were encouraged to download what appeared to be legitimate security products, including firewall software and keyboard protection applications. The executables closely resembled trusted software packages such as nProtect Online Security and AhnLab Safe Transaction, making them difficult to distinguish from legitimate downloads.

In a parallel campaign, the group created fake Cisco Webex meeting pages. Unlike traditional phishing pages, these sites leveraged real meeting schedules associated with legitimate events. This strongly suggests that Kimsuky had already compromised at least one participant and used stolen meeting information to increase credibility among other attendees.


Phase 2: Silent Installation and Malware Delivery 


Once the victim downloads and executes the fake installer, the infection chain begins. The malicious binaries launch a secondary DLL payload known as MemLoader.dll using regsvr32.exe, a trusted Windows utility frequently abused by attackers.

After establishing execution, the malware removes traces of the original installer from disk and creates scheduled tasks to ensure persistence. The compromised device then begins communicating with attacker-controlled infrastructure, waiting for additional payloads to be delivered selectively.

The Webex-themed campaign follows a more elaborate path. Victims are instructed to resolve a supposed camera issue by downloading a ZIP archive containing an encrypted JavaScript file. This file launches PowerShell scripts that perform anti-analysis checks before downloading additional malware components from the command-and-control infrastructure.

The staged approach allows Kimsuky to evaluate victims before deploying more advanced payloads, reducing exposure and limiting the chances of detection.


Phase 3: HTTPSpy Takes Control 


At the center of the operation is HTTPSpy, a sophisticated remote access trojan that has become one of Kimsuky’s preferred espionage tools.

HTTPSpy provides attackers with extensive control over infected systems. It allows the execution of commands, file uploads and downloads, process execution, screenshot capture, DLL injection, and even self-deletion to erase evidence of compromise.

The malware effectively transforms infected devices into surveillance platforms capable of collecting operational, military, corporate, and strategic information. Because payload delivery appears to be selective, Kimsuky can reserve its most capable tools for high-value targets while avoiding unnecessary exposure.

The discovery that HTTPSpy has been continuously deployed since at least 2022 demonstrates its long-term value within the group’s espionage operations.


Phase 4: Expanding the Arsenal 


Kaspersky’s investigation revealed that HTTPSpy is only one component of a much larger malware ecosystem.


HelloDoor


HelloDoor is a Rust-based malware family associated with the PebbleDash cluster. First identified in 2025, it supports command execution, directory management, and configurable delays that help it blend into normal system activity.


HttpMalice


HttpMalice represents the latest evolution of the PebbleDash family. It performs reconnaissance, captures screenshots, establishes persistence, executes commands, loads payloads directly into memory, and exfiltrates collected information.


HttpTroy


Delivered through a loader called MemLoad, HttpTroy provides comprehensive remote administration capabilities including reverse shells, file transfers, screenshot collection, and in-memory execution.


AppleSeed and HappyDoor


AppleSeed remains heavily focused on intelligence gathering. It collects documents, screenshots, keystrokes, USB device information, and sensitive files. One of its most notable capabilities is the extraction of GPKI certificates, a feature that has become increasingly associated with Kimsuky operations.

HappyDoor expands upon these capabilities and remains one of the group’s most advanced espionage platforms.


Phase 5: Living Off Legitimate Tools 


Perhaps the most significant evolution in Kimsuky’s tradecraft is the growing reliance on legitimate technologies instead of traditional malware infrastructure.

The group has increasingly adopted:

  • VS Code Remote Tunneling

  • Cloudflare Quick Tunnels

  • DWAgent remote administration software

  • Native Windows administration tools

  • PowerShell automation

By abusing trusted technologies, Kimsuky reduces its dependency on easily detectable command-and-control channels. Security teams monitoring only traditional malware indicators may completely overlook these legitimate services operating inside compromised environments.

This shift mirrors a broader trend across advanced threat actors, who increasingly blend malicious activity with legitimate software to evade detection.


Victims


The victims span some of South Korea’s most strategically important sectors. Military organizations, defense contractors, government agencies, healthcare providers, energy companies, manufacturing firms, and corporate entities have all been observed within the targeting scope. Employees responsible for communications systems and messaging platforms appear to have received particular attention due to their access to sensitive information and privileged systems.

The campaign also demonstrates Kimsuky’s continued interest in organizations that can provide military intelligence, government information, operational insights, and strategic economic data. Similar malware clusters have also been observed targeting defense organizations in Germany and Brazil, indicating that the group’s objectives extend beyond the Korean Peninsula.


Breach Method & Stolen Data


The primary entry vector relied on social engineering through counterfeit software portals and fake Webex meeting pages. Victims were persuaded to download malicious installers or scripts disguised as legitimate tools required for security or meeting participation.

Following execution, malware loaders deployed HTTPSpy, HelloDoor, AppleSeed, and related payloads. The attackers established persistence through scheduled tasks, remote administration tools, and legitimate tunneling services. Data theft focused on documents, screenshots, keystrokes, removable media information, system reconnaissance data, credentials, and government-related digital certificates. The use of VS Code Tunnels and other legitimate services further enabled covert communication and long-term access.


Measures to Fend Off the Attack


  • Verify all software downloads through official vendor sources.

  • Treat unexpected meeting invitations and technical support requests with caution.

  • Monitor VS Code Remote Tunneling activity across the enterprise.

  • Restrict execution of JSE, PIF, SCR, and other script-based file formats.

  • Detect unauthorized use of remote administration tools such as DWAgent.

  • Implement application allowlisting for administrative utilities.

  • Audit scheduled tasks and persistence mechanisms regularly.

  • Monitor PowerShell activity for suspicious behavior.

  • Protect and monitor GPKI certificates and privileged credentials.

  • Deploy behavioral detection capable of identifying living-off-the-land techniques.

  • Conduct regular phishing and social engineering awareness training.


Conclusion


Kimsuky has evolved into a highly adaptive espionage actor that increasingly blurs the line between malware operations and legitimate administrative activity. The combination of convincing social engineering, mature malware families, remote tunneling technologies, and targeted intelligence collection demonstrates a threat actor focused on long-term access rather than short-term disruption.

As organizations continue adopting cloud platforms, collaboration tools, and AI-assisted development environments, campaigns like these illustrate how advanced adversaries are adapting just as quickly. The challenge is no longer simply detecting malware. It is identifying malicious intent hidden behind trusted software, legitimate services, and seemingly ordinary users.



The Hacker News


 
 
 

Comentarios

bottom of page