Kimsuky targeted South Korean military and corporate entities with fake security software and Webex lures to deliver HTTPSpy and other payloads, while using techniques like JSONPing and stolen meeting schedules to improve infection success. Kaspersky also reported that Kimsuky is evolving its toolset with VS Code tunneling, DWAgent, and new malware families including HelloDoor, HttpMalice, HttpTroy, AppleSeed, and HappyDoor. #Kimsuky #VelvetChollima #HTTPSpy #HelloDoor #HttpMalice #HttpTroy #AppleSeed #HappyDoor #DWAgent #VisualStudioCode #Webex
Keypoints
- Kimsuky used fake South Korean security software pages to distribute malicious installers.
- A counterfeit Webex page was used to deliver a multi-stage infection chain.
- HTTPSpy was deployed as the final payload in the April 2026 campaign.
- The group used JSONPing to verify infection status and tailor delivery.
- Kimsuky also abused VS Code tunneling and DWAgent to expand covert access.
Read More: https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html