INC Ransomware: Technical Evolution to Lynx RaaS
INC Ransomware has evolved into Lynx RaaS, transitioning its core encryption engine to a Rust-based codebase to enhance execution speed, ensure memory safety, and bypass modern EDR/XDR detections. By capitalizing on the disruption of LockBit and BlackCat, the group recruited high-tier affiliates, claiming over 830 victims since August 2023. The operation utilizes sophisticated RaaS management panels for affiliate deployment, though researchers have identified vulnerabilities within the group's backend infrastructure. This transition signals a professionalization of their operational security and technical capabilities, posing a heightened risk to global enterprises.
Kimsuky Evolution: Deployment of HTTPSpy, Rust-based HelloDoor, and Microsoft VS Code Tunneling for Stealth Persistence
The North Korean state-sponsored threat actor Kimsuky (Velvet Chollima) has implemented a significant technical pivot between March and April 2026, shifting from legacy C++ and .NET frameworks toward memory-safe languages and cloud-native persistence mechanisms. The actor deployed "HelloDoor," a backdoor authored in Rust to evade signature-based Endpoint Detection and Response (EDR) systems, and "HTTPSpy," a specialized tool for intercepting encrypted web traffic and exfiltrating credentials. To bypass strict egress firewall policies and neutralize network-level detection, Kimsuky integrated Microsoft VS Code Remote Tunneling, encapsulating Command and Control (C2) traffic within encrypted tunnels routed through legitimate Microsoft relay infrastructure. This campaign targeted South Korean military and corporate entities using high-fidelity social engineering, including spoofed security software portals and fraudulent Webex interfaces, delivering payloads linked to the PebbleDash and AppleSeed malware clusters.