Published: · Region: East Asia · Category: cyber

North Korean Kimsuky Hackers Target South Korean Military With New Tools

Reports on 29 May 2026 reveal that the North Korean-aligned Kimsuky group is deploying a new HTTPSpy remote access trojan against South Korean military and corporate targets. The campaign uses fake security software pages and spoofed Webex meetings, alongside new backdoors and tunneling techniques.

Key Takeaways

Analysis released around 05:59 UTC on 29 May 2026 indicates that the North Korean-aligned Kimsuky cyber espionage group has launched a new wave of intrusions against South Korean targets, focusing particularly on military and corporate networks. The group is deploying a newly documented malware family dubbed HTTPSpy, a remote access trojan (RAT) designed to provide attackers with persistent control over compromised systems and facilitate data theft.

The campaign relies heavily on social engineering and credential theft. Kimsuky operators are crafting fake security software web pages that mimic legitimate antivirus or endpoint protection vendors, tricking users into downloading what they believe to be software updates. In parallel, the group is distributing spoofed Webex meeting invitations that, once clicked, redirect victims to malicious sites or initiate malware downloads.

Beyond HTTPSpy, the group is reportedly enhancing its arsenal with additional tools. One such component is the HelloDoor backdoor, engineered to maintain covert access within networks that might otherwise expel commodity malware quickly. Another is the use of tunneling via Visual Studio Code (VS Code), leveraging its remote development features to establish stealthy communication channels that blend in with normal developer traffic.

Key actors include the Kimsuky group, which has a long record of operations associated with North Korea’s intelligence apparatus, and South Korean military institutions and defence contractors that are prime targets for intelligence collection on capabilities, planning, and procurement. South Korean corporate entities, particularly in high‑tech sectors, are also in the crosshairs for intellectual property theft.

This activity matters because it highlights both continuity and evolution in North Korean cyber operations. Kimsuky has historically focused on espionage rather than disruptive attacks, making it a persistent but sometimes underappreciated threat. The introduction of HTTPSpy and sophisticated tunneling suggests a deliberate investment in staying ahead of defensive measures and detection technologies.

Regionally, South Korea remains on the front line of cyber operations emanating from the North, with intrusions often timed to coincide with political or military developments. Sensitive data on force posture, joint exercises with the United States, and emerging weapons systems are all likely collection priorities. Successful compromises could inform North Korean strategic planning and negotiation positions, while stolen corporate IP can be used to support sanctions‑evading industries or domestic technological development.

Globally, Kimsuky’s adoption of widely used collaboration tools like Webex and development platforms like VS Code as attack vectors underscores the broader challenge of defending against supply chain and living‑off‑the‑land techniques. Organizations beyond South Korea that interact with Korean entities, including foreign defence contractors and diplomatic missions, may be exposed through shared communication channels.

Outlook & Way Forward

In the short term, South Korean authorities and private sector defenders will likely issue targeted advisories, update intrusion detection signatures, and step up monitoring of traffic associated with fake security sites, Webex meeting links, and VS Code remote extensions. User awareness campaigns emphasizing caution around unsolicited meeting invitations and software update prompts will be critical to blunting Kimsuky’s initial access tactics.

Technical countermeasures should include tighter application whitelisting, stronger controls around code signing and software distribution, and network segmentation to limit lateral movement once an endpoint is compromised. Given Kimsuky’s focus on stealthy persistence, regular threat hunting exercises targeting anomalous VS Code activity, unusual outbound HTTP(S) traffic patterns, and dormant scheduled tasks will be important.

Strategically, the campaign is another data point reinforcing the need for sustained investment in cyber defense and resilience across South Korea’s military and industrial base. Allies, particularly the United States and Japan, may increase intelligence sharing on Kimsuky indicators and techniques, and integrate these findings into joint cyber exercises. Observers should watch for any signs that Kimsuky is moving beyond espionage into pre‑positioning for disruptive operations, which would signal a more aggressive posture in the cyber domain aligned with broader regional tensions.

Sources

Related Coverage

GLOBAL

EU, U.S. Move To Coordinate On Advanced Cyber-AI Risks

On 29 May 2026, reports around 13:18 UTC indicated the European Union is seeking to intensify talks with the United States over advanced AI models used in cyber operations, citing concerns linked to cutting-edge systems such as Anthropic’s Mythos. The initiative reflects rising anxiety over AI‑enabled offensive capabilities.
WARNING

Hezbollah Admits Tank Attack As IDF Forces Enter Dibbine Area

At approximately 17:35 UTC on 29 May, Lebanese channels began publishing footage of Israeli Defense Forces (IDF) vehicles in the lower wadi near the Lebanese village of Dibbine, reportedly captured by IDF forces overnight. Hezbollah subsequently claimed it attacked an Israeli tank in Dibbine, marking its first official admission of IDF presence in that specific Lebanese area. This suggests a potential expansion or normalization of Israeli ground operations over the Lebanon border, increasing the risk of a broader Israel–Hezbollah war.
MIDDLE EAST

U.S. Navy Threatens Strikes on Hormuz Mine-Laying Ships

On 29 May 2026, U.S. military authorities said they would attack any ships laying mines in the Strait of Hormuz, escalating efforts to secure the vital waterway. The statement came around 17:24–17:25 UTC amid tense messaging between Washington and Tehran over maritime access and Iran’s nuclear program.
GLOBAL

UN Blacklists Israel and Russia Over Conflict-Related Sexual Violence

On 29 May 2026, the United Nations added Israel and Russia to its blacklist of parties responsible for conflict-related sexual violence. The decision, reported around 16:29 UTC, marks a significant escalation in international censure of both countries’ conduct in ongoing conflicts.
WARNING

Trump Sets Hard Iran Terms; NATO Drone Spillover, IDF Push North

Between 17:23–17:31 UTC, several developments raised geopolitical and market risk: Trump publicly outlined maximalist conditions for an Iran deal, tying them to an immediate, toll‑free reopening of the Strait of Hormuz while Iran’s leadership rejected unilateral U.S. claims and demanded concessions. Around the same window, Romania’s president clarified that a Russian drone shot down by Ukrainian air defenses caused a recent crash on Romanian territory, highlighting NATO spillover risk. Concurrently, reports at 17:31 UTC indicate IDF forces have captured the Lebanese village of Dibbine, signaling a deeper ground advance north of Marjayoun toward the Litani. Together these moves increase war‑escalation and energy‑market risk.
WARNING

FBI Seizure Of 127,000 BTC Adds Crypto Regulatory Overhang

The FBI seized roughly 127,000 BTC (~$8B) and arrested 300 in a scam crackdown, the largest forfeiture in US history. This amplifies US enforcement risk in crypto, likely pressuring BTC and high‑beta tokens and supporting relative bids for regulated assets and USD liquidity proxies.