Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
Summary
The North Korean state-sponsored threat actor Kimsuky has been identified in new cyber attacks against South Korean military and corporate entities during March and April 2026. The group utilized a variety of social engineering techniques, including fake security software installation pages and a deceptive Webex meeting page, to carry out these attacks.
IFF Assessment
This article details the actions of a sophisticated state-sponsored threat actor, indicating increased malicious activity and potential harm to targeted organizations.
Defender Context
Defenders should be aware of Kimsuky's evolving tactics, particularly their use of social engineering and new tools like HTTPSpy, HelloDoor, and VS Code tunnels. Vigilance against phishing attempts, especially those mimicking security software or collaboration tools, is crucial for mitigating these threats.