Back

Kimsuky Targets South Korea with Advanced Malware and Social Engineering Tactics

Severity: High (Score: 75.5)

Sources: Scworld, Thehackernews

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: korean, kimsuky, north, south, state, threat, actor

Severity indicators: kimsuky, malware

Summary

North Korean hackers known as Kimsuky have launched a series of cyberattacks against South Korean military and corporate sectors during March and April 2026. The group utilized sophisticated social engineering tactics, including spoofed security software installation pages and fake Webex meeting invitations, to deliver malware. Notably, a variant of the HTTPSpy remote access trojan was disguised as legitimate security software. Kimsuky also employed new malware families such as HelloDoor and HttpMalice, alongside enhanced versions of existing malware like HappyDoor. The attacks impacted various sectors, including defense, government, and healthcare, demonstrating Kimsuky's adaptability and persistent threat. The group has been active since at least 2023, indicating a long-term campaign against South Korean entities. Current assessments highlight the ongoing risk posed by Kimsuky to critical infrastructure and sensitive data. Key Points: • Kimsuky targeted South Korean military and corporate entities with advanced malware. • Attacks involved social engineering tactics like spoofed software and fake meeting invitations. • New malware variants include HelloDoor and enhanced versions of existing threats.

Detailed Analysis

**Impact** South Korean military, government, corporate, and healthcare sectors were targeted during March and April 2026. The attacks risked sensitive military and government data, including GPKI certificates, and potentially disrupted communications within B2B messaging services. The scope includes multiple organizations across South Korea, with no specific numbers of affected entities disclosed. **Technical Details** Kimsuky employed social engineering via spoofed security software installation pages and fake Cisco Webex meeting invitations to deliver malware. Tools used include HTTPSpy RAT variants disguised as legitimate installers, new malware families HelloDoor and HttpMalice (variants of PebbleDash), and enhanced AppleSeed versions like HappyDoor focused on data exfiltration and GPKI certificate theft. Visual Studio Code tunneling and Cloudflare Quick Tunnels were used for covert command-and-control bypass. No CVEs exploited or specific IOCs were provided. **Recommended Response** Prioritize detection and blocking of spoofed security software installers and fake Webex meeting pages. Monitor for unusual use of Visual Studio Code tunneling and Cloudflare Quick Tunnels in network traffic. Harden endpoint security to detect HTTPSpy RAT and related malware families. No patching information is available; defenders should focus on monitoring and blocking identified social engineering vectors and command-and-control channels.

Source articles (2)

  • Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels — Thehackernews · 2026-05-29
    The North Korean state- threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and…
  • North Korean hackers Kimsuky target South Korea with new malware variants — Scworld · 2026-05-29
    Per The Hacker News, North Korean state- threat actor Kimsuky has been linked to a series of sophisticated cyberattacks against South Korean military and corporate entities during March and April 2026…

Timeline

  • 2026-03-01 — Kimsuky begins cyberattacks: Kimsuky initiated a series of targeted attacks against South Korean military and corporate entities using advanced tactics.
  • 2026-04-30 — Malware variants identified: New malware families HelloDoor and HttpMalice were identified, expanding Kimsuky's arsenal.
  • 2026-05-29 — Reports published on Kimsuky activity: Both Scworld and The Hacker News published reports detailing Kimsuky's recent cyberattacks and tactics.

Related entities

  • Kimsuky (Apt Group)
  • Velvet Chollima (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • South Korea (Country)
  • Government (Industry)
  • Healthcare (Industry)
  • AppleSeed (Malware)
  • HappyDoor (Malware)
  • HelloDoor (Malware)
  • HttpMalice (Malware)
  • HTTPSpy (Malware)
  • PebbleDash (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • Cisco WebEx (Platform)
  • Visual Studio Code (Platform)
  • Cloudflare Quick Tunnels (Tool)
  • VS Code Tunnels (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed