Kimsuky Used a Fake Webex Page to Deliver an HTTPSpy Variant to the South Korean Military

HTTPSpy is not a new backdoor — it dates to 2022 and CrowdStrike documented it against a German defense firm in 2024. What is new is the delivery: Kimsuky is staging an HTTPSpy variant through a Webex meeting page bolted to a real, stolen meeting schedule.

SEOUL, SOUTH KOREA — The South Korean security firm ENKI disclosed this week that Kimsuky — the North Korean threat actor also tracked as Velvet Chollima, APT43, and Emerald Sleet — ran a fresh wave of attacks against South Korean military and corporate entities through March and April 2026, delivering a variant of the HTTPSpy backdoor through spoofed security-software installer pages and a counterfeit Cisco Webex meeting page wired to a legitimate, scheduled meeting.

The Hacker News reported the ENKI findings on May 29, 2026, the same day Kaspersky's Securelist published a parallel analysis tracing related Kimsuky tooling — the Rust-based HelloDoor backdoor, the December-2025 PebbleDash variant HttpMalice, and continued abuse of Visual Studio Code Remote Tunnels — across the defense, military, government, medical, machinery, and energy sectors in South Korea.

What Happened

ENKI's analysis describes two campaign tracks under the same Kimsuky umbrella. In March 2026, the operators stood up a bogus web page impersonating the security-software installation page of a South Korean business-to-business messaging service. The page offered two ostensibly defensive tools — a firewall and a keyboard-security program — and on download served one of two executables, nos-setup.exe or astx-setup.exe, masquerading as nProtect Online Security and AhnLab Safe Transaction. ENKI found the malicious logic in the two binaries to be identical: each launches a second-stage DLL, MemLoader.dll, through regsvr32.exe, then runs a batch script that deletes the installer from disk. The DLL installs persistence via a scheduled task and beacons to a command-and-control server for an as-yet-unidentified follow-on payload. Because the lure mimics a B2B messaging installer, ENKI assesses the activity was tailored to corporate messaging administrators.

The April 2026 track is the operationally novel one. The operators built a counterfeit Cisco Webex page that displayed a pop-up urging the target to download and run a script to fix camera-access issues. Running the prompt fetched a ZIP archive containing an encrypted JavaScript file named fix-camera.jse. From there a PowerShell-staged intermediate downloader, mTSTCv8.mdxm, ran anti-analysis checks and retrieved an engine.dat or spyInster.dll payload from C2; that payload dropped a loader, cacheMon.dat, that executed the HTTPSpy variant on the host. In parallel, the chain dropped and opened a local meeting.html file that immediately redirected the victim into a real Webex room tied to an actual scheduled meeting — leading ENKI to conclude that the operators compromised a service member's device or account, lifted the meeting schedule, and crafted the fake page to distribute malware to the other attendees.

HTTPSpy Is an Older Backdoor — the Variant and the Delivery Are What's New

It is worth being precise on what is and is not novel here. HTTPSpy is not a fresh discovery: its first use dates to 2022, and CrowdStrike documented Kimsuky deploying it against a German defense manufacturer's employees through a credential-phishing campaign between May 2024 and at least September 2024, in its 2025 European Threat Landscape Report. What ENKI documents is a 2026 variant of HTTPSpy delivered through a new social-engineering apparatus and verified on the victim through a previously unreported technique. The RAT capabilities themselves — shell commands, file upload and download, process execution, screenshot capture, DLL injection into named PIDs, and self-erasure — are recognisable from the earlier variant. The point of the disclosure is the campaign around the malware, not the malware on its own.

JSONPing — Real-Time Infection Verification Built Out of a Web Trick

The technique ENKI codenames JSONPing is the quieter operational innovation in the writeup. Alongside the spoofed pages used as initial-access lures, ENKI found additional fake pages designed to query a local server running on the victim's machine via JSONP — JSON with Padding, the cross-origin pattern that returns a JavaScript callback rather than a JSON document. The fake page uses JSONPing to confirm whether the malware is active on the host before presenting an installation prompt or serving the next payload. The downloaded payload's exact nature has not been recovered because the URL is currently inactive, but the design intent is clear: an operator can monitor recurring beacons from a particular victim and selectively deliver follow-on stages, in ENKI's framing, only to the targets it wants. It is a small piece of tradecraft that is easy to miss and hard to detect without specifically hunting for it.

Sibling to the May 14 PebbleDash Story — Same Cluster, Same Through-Line

This disclosure lands as a direct sibling to the May 14 Kimsuky PebbleDash and AppleSeed coverage in which Kaspersky documented expanded defense-sector targeting across South Korea, Brazil, and Germany, the LLM-developed HelloDoor backdoor, and the abuse of Visual Studio Code Remote Tunnels for covert remote access. The Kaspersky writeup published on May 29 extends that picture — naming HttpMalice as a December-2025 PebbleDash variant and detailing continued VS Code, Cloudflare Quick Tunnels, and DWAgent abuse — while ENKI's analysis fills in the social-engineering and delivery layer of the same operator. The through-line readers should carry forward is the DPRK developer-and-defense-targeting cluster: Kimsuky's operational tempo against South Korean military, corporate, and government targets has not slowed since mid-May, and the May 29 GreyVibe disclosure plus the wider ESET APT activity report covering October 2025 through March 2026 show the same trend running in parallel across other state-aligned actors.

Scope and Impact

The headline scope question — how many South Korean military or corporate targets were actually compromised in the March-April 2026 wave — is not quantified in ENKI's public account, and this account does not invent a figure. What ENKI does establish is the targeting set (South Korean military and corporate entities, with messaging administrators singled out by the B2B-messaging-service lure), the campaign window (March and April 2026), and the operational reach implied by the Webex tradecraft: if the operators were able to pull a real scheduled meeting from a compromised service member's device or account, the foothold predated the lure and the affected unit's other attendees were the secondary targeting pool.

The wider scope, per Kaspersky's parallel writeup, runs broader than ENKI's specific incidents. Kaspersky researcher Sojun Ryu reports that the PebbleDash and AppleSeed clusters together span the defense, military, government, medical, machinery, and energy sectors in South Korea, that the AppleSeed cluster is now shifting toward data exfiltration with GPKI certificate extraction as a signature capability — the same GPKI focus Kaspersky surfaced in its May 14 disclosure — and that the PebbleDash cluster has expanded remote-control capabilities and an expanding set of targets. Read alongside ENKI's findings, the picture is one operator running multiple toolchains and multiple delivery techniques against overlapping South Korean target sets in parallel.

What is genuinely not known, and worth surfacing, is the identity of the as-yet-unrecovered follow-on payload from the March 2026 B2B-messaging-installer lure, the full IOC set for the HTTPSpy variant, and the precise overlap (if any) between the operators ENKI tracks and the cluster Kaspersky details. The Kaspersky and ENKI accounts are consistent with a single Kimsuky operator running parallel tracks, but they do not, on their own, prove it. Readers should hold the through-line — Kimsuky's May 14 PebbleDash, AppleSeed, and HelloDoor activity plus the March-April 2026 HTTPSpy variant — as the same campaign cluster at confidence high enough to defend against, but should not collapse the two writeups into a single incident description.

Response and Attribution

For defense-sector and corporate CISOs in South Korea, the immediate action is to add the HTTPSpy variant IOCs to the detection stack as ENKI publishes them and to treat the file names ENKI surfaces — nos-setup.exe, astx-setup.exe, MemLoader.dll, fix-camera.jse, mTSTCv8.mdxm, engine.dat, spyInster.dll, cacheMon.dat, and the meeting.html redirector — as hunting starters in EDR and email-gateway logs. Audit inbound Webex meeting invitations and any landing pages claiming to address camera or audio access by cross-checking the meeting URL against the legitimate Webex scheduler before any participant downloads a fix script. Brief executives that a stolen meeting schedule is now documented Kimsuky tradecraft and that an invitation to a real meeting is no longer, on its own, evidence of a clean delivery channel. For all organisations that overlap with Kaspersky's broader target set — South Korean public-sector, medical, machinery, and energy entities — pivot historical EDR telemetry on VS Code Remote Tunneling sessions and code-tunnel binaries spawned from non-developer endpoints, and review DWAgent and Cloudflare Quick Tunnels usage for unexpected hosts and after-hours activity. The same legitimate-tool tradecraft is visible in adjacent DPRK activity covered in The CyberSignal's reporting on Lazarus's RemotePE memory-only RAT against finance and crypto targets.

On attribution, ENKI's account and the Kaspersky parallel both attribute the activity to Kimsuky, and the four-alias hedge — Kimsuky / Velvet Chollima / APT43 / Emerald Sleet — should travel with any internal briefing on these incidents. The aliases describe overlapping but not identical tracking sets across vendors, and preserving them on first reference avoids the drift that turns a multi-vendor consensus into a single-vendor claim. For SOC and threat-hunting teams, the operational task this week is the JSONP detection: write detection logic for unexpected outbound JSONP callbacks from a workstation to a locally bound port, especially when paired with inbound traffic to a fake security-software or videoconference landing page. JSONPing is small enough to hide behind ordinary cross-origin web traffic, and it has to be hunted for explicitly to be found.

The CyberSignal Analysis

Signal 01 — The Operationally Novel Element Is the Stolen Meeting Schedule, Not the Backdoor

The strongest piece of Kimsuky tradecraft in this disclosure is not the HTTPSpy variant, and it is not even JSONPing. It is the choice to spoof a Webex page wired to a real, scheduled meeting on a compromised service member's device. That move converts what would otherwise be a generic videoconference lure into a context-rich, plausible delivery channel that the targeted attendees have no reason to question — the meeting on the link is the meeting they were already attending. It is the same operational pattern that makes spear-phishing work, scaled up to a live, multi-attendee distribution surface. The defensive implication is hard: technical controls on email gateways and EDR catch the malware end of this chain, but not the trust end. Executives who accept a Webex invitation because the meeting exists and the schedule matches need to know that a real meeting is no longer proof of a clean channel.

Signal 02 — HTTPSpy Belongs to the Same DPRK Developer-and-Defense Cluster as PebbleDash and AppleSeed

Read in isolation, the HTTPSpy variant is one more Kimsuky backdoor. Read in context, it is the third Kimsuky disclosure in 15 days, alongside the May 14 PebbleDash and AppleSeed writeup and the May 29 Kaspersky update on HelloDoor and HttpMalice. Across those disclosures the through-line is consistent: a DPRK operator running multiple toolchains in parallel against South Korean military, corporate, and government targets, with active development on each toolchain, active delivery experimentation, and active investment in legitimate-tool tradecraft like VS Code Remote Tunnels and DWAgent. The right mental model is a single operator with a sprawling, well-resourced campaign architecture — not a series of separate incidents. Threat-model and incident-response playbooks should reflect that scope.

Signal 03 — JSONPing Is the Class of Innovation Defenders Should Expect More Of

JSONPing is small. It is one technique, in one campaign track, and the URL it points to is currently inactive. But the design — a fake page that quietly confirms its target before serving the payload — is the kind of operational refinement that pays for itself many times over once it is wired into a long-running campaign. It lowers the operator's detection surface (no payload is served to a sandbox that has not first verified the malware), it raises the defender's hunting burden (the JSONP callback hides inside ordinary cross-origin web traffic), and it is portable enough to bolt onto almost any web-staged delivery chain. Defenders should expect this class of small, hard-to-spot delivery refinement to keep appearing — and should write the detection logic for outbound JSONP-style callbacks from workstations to locally bound ports as a standing hunt, not a one-off response to this writeup.

Sources