Full Report
The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
- **Name:** Kimsuky
- **Aliases:** Velvet Chollima
- **Origin:** North Korea (State-sponsored)
- **Known Associations:** Attributed to the Reconnaissance General Bureau (RGB).
## Activity Summary
The actor engaged in two primary campaigns between March and April 2026 targeting South Korean interests. These operations focused on delivering custom remote access trojans (RATs) through sophisticated social engineering, including impersonating B2B messaging security installers and Cisco Webex meeting pages.
## Tactics, Techniques & Procedures
- **Social Engineering:** Spoofing security software installation pages and creating fake Webex meeting rooms based on legitimate schedules.
- **Persistence:** Utilization of scheduled tasks via `MemLoader.dll`.
- **Defense Evasion:**
- Use of `regsvr32.exe` to execute second-stage payloads.
- Self-deleting batch scripts.
- Anti-analysis checks performed by intermediate downloaders.
- **Execution:** Execution of encrypted JavaScript files (`.jse`) via PowerShell.
- **JSONPing Technique:** Using JSONP (JSON with Padding) to query local servers on victim machines to verify malware execution status.
- **MITRE ATT&CK IDs (Inferred from context):**
- **T1566.002:** Phishing: Spearphishing Link
- **T1053.005:** Scheduled Task/Job: Scheduled Task
- **T1218.010:** System Binary Proxy Execution: Regsvr32
- **T1027:** Obfuscated Files or Information (JSE files)
- **T1071.001:** Application Layer Protocol: Web Protocols
## Targeting
- **Sectors:** Military, Defense, Corporate (B2B Messaging), and Government.
- **Geography:** Primarily South Korea; historically Germany and other European regions.
- **Victims:** Messaging administrators within corporate environments; South Korean military service members; German defense manufacturer employees (historical).
## Tools & Infrastructure
- **Malware Families:**
- **HTTPSpy:** A full-featured RAT capable of shell commands, screenshot capture, and DLL injection.
- **HelloDoor:** (Mentioned in title/arsenal expansion).
- **MemLoader.dll:** Persistence and loading component.
- **mTSTCv8.mdxm:** Intermediate downloader.
- **Lure Files:** `nos-setup.exe` (nProtect spoof), `astx-setup.exe` (AhnLab Safe Transaction spoof), `fix-camera.jse`.
- **Infrastructure:**
- C2 Servers (Used for selective payload delivery).
- Fake meeting pages: `meeting.html` (Redirects to legitimate Webex rooms to reduce suspicion).
- Defanged Domains/URLs: `hxxps[://]thehackernews[.]com/2026/05/kimsuky-deploys-httpspy-expands-arsenal[.]html`
## Implications
Kimsuky continues to refine its social engineering to bridge the gap between initial access and long-term espionage. By leveraging legitimate meeting data, they demonstrate an ability to compromise one high-value target to facilitate man-in-the-middle-style social engineering against an entire group of participants. Their focus on South Korean security software indicates a strategic intent to bypass local endpoint protections by masquerading as the very tools meant to defend the networks.
## Mitigations
- **Application Whitelisting:** Strictly control the execution of `regsvr32.exe` and `powershell.exe`, especially when linked to unsigned scripts or library loads.
- **Endpoint Monitoring:** Monitor for unexpected scheduled tasks and the creation of `.jse` or `.bat` files in temp directories.
- **User Training:** Educate administrators on the risks of "out-of-band" security software updates that do not follow established corporate deployment channels.
- **Web Filtering:** Block emerging domains associated with spoofed B2B messaging and conferencing platforms.