North Korean Kimsuky Group Targets South Korean Military With New Tools
On 29 May 2026, security researchers reported that the North Korean-linked Kimsuky cyber espionage group is actively targeting South Korean military and corporate networks. The group is deploying the new HTTPSpy RAT via fake software sites and spoofed Webex meetings, alongside additional backdoors and tunneling techniques.
Key Takeaways
- Kimsuky, a North Korean state-linked cyber unit, is conducting new campaigns against South Korean military and corporate targets.
- As of 29 May 2026, the group is using the HTTPSpy remote access trojan delivered through fake security software pages and spoofed Webex meeting lures.
- Kimsuky has expanded its toolkit with the HelloDoor backdoor and VS Code-based tunneling for stealthy persistence and data exfiltration.
- The activity underscores Pyongyang’s continued reliance on cyber espionage to gather defense, political, and economic intelligence.
On 29 May 2026, cybersecurity reporting indicated that the North Korean-affiliated Kimsuky group is conducting an active espionage campaign against South Korean military and corporate entities. Around 05:59 UTC, analysts detailed how the group is deploying a new remote access trojan (RAT) dubbed HTTPSpy, compromising victims via malicious websites impersonating legitimate security software vendors and through fraudulent Webex meeting invitations.
Kimsuky is a long-standing North Korean cyber operation known for intelligence collection efforts targeting South Korea, the United States, and other countries involved in regional security and sanctions policy. The group traditionally focuses on think tanks, government agencies, defense contractors, and energy firms. Its latest campaign demonstrates ongoing adaptation and technical evolution.
The HTTPSpy RAT provides attackers with full remote control over infected systems, including file access, keystroke logging, and the ability to install additional payloads. The delivery mechanisms reported—fake security software pages and spoofed Webex meetings—indicate an emphasis on social engineering against users who handle sensitive information or who are accustomed to frequent remote collaboration.
In addition to HTTPSpy, Kimsuky is reportedly incorporating the HelloDoor backdoor and leveraging Visual Studio Code (VS Code) tunneling features to establish and maintain covert channels into victim networks. HelloDoor likely provides stealthy persistence, while VS Code tunneling allows encrypted communication that can blend in with legitimate developer or administrative traffic, complicating detection by network defenders.
Key players include North Korean intelligence services directing Kimsuky’s operations; South Korean defense and corporate entities that are primary targets; and the broader international cybersecurity community tracking and mitigating the threat. South Korean military networks are particularly attractive to Pyongyang for insights into force posture, modernization plans, and allied cooperation, while corporate targets offer economic and technological intelligence.
The significance of this campaign is twofold. First, it demonstrates that North Korea continues to invest in cyber capabilities as a core element of its asymmetric strategy, offsetting conventional military and economic disadvantages. Second, the specific focus on South Korean military and corporate targets at this time suggests an intelligence requirement tied to ongoing regional security developments, including allied exercises, missile defense deployments, and sanctions enforcement.
From a regional security perspective, successful intrusions could provide Pyongyang with sensitive information on South Korean and allied plans, potentially enabling more calibrated provocations or helping North Korea circumvent economic restrictions. On the corporate side, theft of intellectual property or strategic business data could support North Korea’s sanctioned industries or be monetized via third parties.
Globally, the campaign underscores a persistent challenge: state-linked actors exploiting widely used collaboration and development tools as attack vectors. The abuse of fake security software sites also erodes user trust in legitimate update and download mechanisms, complicating efforts to promote good cyber hygiene.
Outlook & Way Forward
In the near term, South Korean and allied defense organizations are likely to harden their networks against the specific indicators associated with HTTPSpy, HelloDoor, and VS Code tunneling. Expect advisories emphasizing verification of software download sources, careful scrutiny of Webex and other meeting invites, and enhanced monitoring of outbound developer-related traffic.
Over the longer term, Kimsuky is likely to iterate on these tools as defenders publish signatures and detection methods. As with previous North Korean campaigns, the group may pivot sectors or geographic focus, but its core targeting of South Korea and allied actors will remain constant. Organizations in sectors historically hit by Kimsuky—defense, energy, policy analysis, and technology—should treat this as a sustained threat, not a one-off event.
Strategically, this activity reinforces calls for more coordinated cyber defense among U.S. allies in Northeast Asia, including broader sharing of threat intelligence and joint exercises simulating advanced state-linked intrusions. Indicators to watch include reports of data theft from South Korean defense contractors, changes in North Korean negotiation postures that might reflect new intelligence, and any signs that Kimsuky’s tools are being shared or repurposed by other threat actors. The likelihood of continued, low-visibility cyber operations from Pyongyang remains high.
Sources
- OSINT