# North Korean Kimsuky Group Targets South Korea With New Malware *Friday, May 29, 2026 at 6:11 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-29T06:11:38.237Z (13h ago) **Category**: cyber | **Region**: East Asia **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/5730.md **Source**: https://hamerintel.com/summaries --- **Deck**: On 29 May, cybersecurity researchers reported that North Korea-linked Kimsuky hackers are conducting new campaigns against South Korean military and corporate networks. The group is deploying the HTTPSpy RAT via spoofed security sites and Webex pages, alongside new backdoors for stealthy access. ## Key Takeaways - As of 29 May 2026, Kimsuky, a North Korean state-linked group, is actively targeting South Korean military and corporate entities. - The campaigns use fake security software pages and spoofed Webex meeting sites to deliver the HTTPSpy remote access trojan. - Kimsuky has expanded its toolkit to include the HelloDoor backdoor and Visual Studio Code-based tunneling techniques to evade detection. - The activity underscores persistent North Korean cyber espionage efforts and raises concerns about potential data theft and network compromise in sensitive sectors. On 29 May 2026, cybersecurity analysts reported fresh activity by the North Korea-aligned threat actor known as Kimsuky, detailing an ongoing wave of cyber-espionage operations focused on South Korean military and corporate targets. According to these assessments, Kimsuky is leveraging sophisticated social engineering techniques, including fake security software download pages and spoofed Webex meeting invitations, to trick victims into installing the HTTPSpy remote access trojan (RAT). Once installed, HTTPSpy grants attackers persistent remote control over compromised systems, enabling credential theft, file exfiltration, keylogging, and lateral movement across networks. The group’s latest campaigns also incorporate the HelloDoor backdoor and innovative use of Visual Studio Code (VS Code) tunneling to create covert communication channels that are harder for traditional security tools to detect. ### Background & Context Kimsuky has been active for more than a decade, primarily engaged in espionage against South Korean government institutions, defense contractors, think tanks, and other politically relevant organizations. The group is widely believed to operate under the direction of North Korea’s intelligence services, focusing on gathering strategic information related to defense policy, sanctions, diplomatic negotiations, and advanced technologies. Historically, Kimsuky has relied on spear-phishing emails, malicious Office documents, and compromised websites. The shift toward impersonating security products and widely used collaboration platforms like Webex reflects an evolution in its tradecraft, seeking to blend into normal user behavior and exploit trust in legitimate software ecosystems. ### Key Players Involved The primary actor is the Kimsuky group itself, which likely operates from North Korea or proxy locations, using global infrastructure such as rented servers and hijacked accounts. The victims include South Korean military organizations, defense industry firms, and broader corporate targets, particularly those handling sensitive technical or policy information. South Korea’s national cybersecurity agencies, military CERT teams, and private-sector security providers are engaged in detection, incident response, and user awareness campaigns. International partners may also be involved in sharing indicators of compromise (IOCs) and analytic insights to blunt Kimsuky’s operations. ### Why It Matters The latest Kimsuky campaigns are significant for several reasons: 1. **Targeting of defense and strategic sectors**: Successful intrusions into South Korean military or defense contractor networks could yield high-value intelligence on force posture, acquisition plans, and alliance coordination with the U.S. and other partners. 2. **Tool and technique evolution**: The adoption of HTTPSpy, HelloDoor, and VS Code tunneling shows that Kimsuky is investing in more advanced, stealthy toolchains. This raises the bar for detection and underscores the need for behavioral and anomaly-based defenses, not just signature-based tools. 3. **Broader threat proliferation**: Tactics refined against South Korea could be repurposed against other countries, particularly those involved in regional security dialogues or sanctions enforcement. ### Regional and Global Implications Regionally, Kimsuky’s activity forms part of a broader North Korean cyber strategy that includes both espionage and financially motivated operations, such as cryptocurrency theft. Persistent intrusions can erode trust in digital infrastructure, divert security resources, and complicate coalition military planning. Globally, the campaigns reinforce North Korea’s position as a capable and active cyber adversary. The use of developer tools like VS Code for tunneling illustrates a blurring of lines between legitimate IT workflows and malicious activity, with implications for organizations worldwide that rely on similar tools. It also highlights the challenge of defending remote and hybrid work environments where collaboration platforms and code editors are ubiquitous. Internationally, revelations about state-linked cyber-espionage operations often feed into sanctions debates and calls for attribution and public exposure. However, concrete legal or diplomatic consequences for Pyongyang remain limited, given its isolation and the difficulty of imposing additional effective penalties. ## Outlook & Way Forward In the near term, South Korean institutions are likely to issue updated advisories warning users about fake security sites and suspicious Webex invitations, while pushing out new network signatures and detection rules for HTTPSpy, HelloDoor, and associated infrastructure. Organizations in defense and high-tech sectors should prioritize phishing resistance training, hardening of remote access pathways, and continuous monitoring for unusual VS Code or tunneling activity. Over the medium term, Kimsuky will likely adjust its tactics in response to public reporting, rotating infrastructure, rebranding malware, and experimenting with other legitimate collaboration tools as cover. Defenders in South Korea and allied countries will need to move toward more proactive threat hunting, intelligence-sharing, and zero-trust architectures that limit the damage from inevitable intrusions. Strategically, North Korea’s ongoing investment in cyber capabilities suggests that such operations will remain a core component of its asymmetric toolkit, alongside missile tests and nuclear signaling. Analysts should monitor for spillover operations targeting other regional actors, integration of espionage gains into North Korean military planning, and any signs that Kimsuky or related groups are shifting into destructive or disruptive campaigns beyond intelligence collection.