FILTERING BY: CLEAR FILTER

Kimsuky Evolution: Deployment of HTTPSpy, Rust-based HelloDoor, and Microsoft VS Code Tunneling for Stealth Persistence

The North Korean state-sponsored threat actor Kimsuky (Velvet Chollima) has implemented a significant technical pivot between March and April 2026, shifting from legacy C++ and .NET frameworks toward memory-safe languages and cloud-native persistence mechanisms. The actor deployed "HelloDoor," a backdoor authored in Rust to evade signature-based Endpoint Detection and Response (EDR) systems, and "HTTPSpy," a specialized tool for intercepting encrypted web traffic and exfiltrating credentials. To bypass strict egress firewall policies and neutralize network-level detection, Kimsuky integrated Microsoft VS Code Remote Tunneling, encapsulating Command and Control (C2) traffic within encrypted tunnels routed through legitimate Microsoft relay infrastructure. This campaign targeted South Korean military and corporate entities using high-fidelity social engineering, including spoofed security software portals and fraudulent Webex interfaces, delivering payloads linked to the PebbleDash and AppleSeed malware clusters.


LINK COPIED TO CLIPBOARD