Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

Kimsuky’s latest operations demonstrate a blend of classic social engineering and cutting‑edge tooling. In March, the group masqueraded malicious binaries as popular South Korean security products, tricking administrators into installing nos‑setup.exe or astx‑setup.exe. These installers drop a regsvr32‑executed DLL that creates a scheduled‑task persistence mechanism and contacts a command‑and‑control server to fetch additional payloads. By April, a counterfeit Webex page lured victims into running a PowerShell‑based downloader that performed anti‑analysis checks before delivering the HTTPSpy remote‑access trojan. The addition of "JSONPing"—a local server query that confirms malware execution—adds a real‑time feedback loop rarely seen in state‑sponsored campaigns.

Beyond the delivery tricks, Kimsuky is exploiting legitimate development environments to hide its activity. The group has adopted VS Code’s Remote Tunneling feature and Cloudflare Quick Tunnels, allowing it to establish covert channels without traditional C2 infrastructure. Coupled with the open‑source DWAgent RMM tool, this approach provides persistent, low‑profile access. New Rust‑based modules such as HelloDoor and HttpMalice, likely generated with large language models, broaden the PebbleDash arsenal with lightweight, memory‑only loaders capable of command execution, screenshot capture, and data exfiltration. The AppleSeed family now targets GPKI certificates, mirroring tactics used by other credential‑stealing malware, indicating a strategic shift toward high‑value credential theft.

The implications for South Korean defense, government, and critical‑infrastructure firms are profound. Kimsuky’s use of legitimate tools blurs the line between benign traffic and malicious activity, complicating network‑based detection. Organizations must enforce strict application allow‑lists, monitor anomalous tunneling traffic, and deploy endpoint detection that can spot unusual DLL registrations and scheduled‑task creations. Threat intelligence sharing and rapid patching of software supply chains become essential as state actors continue to weaponize open‑source code and AI‑generated malware, raising the overall risk landscape for the broader Asia‑Pacific region.