Kimsuky (Velvet Chollima) targets South Korean military and corporate orgs with HTTPSpy, HelloDoor, and VS Code Tunnels backdoor
ENKI has attributed fresh attacks on South Korean military and corporate entities through March-April 2026 to the North Korean state-sponsored Kimsuky group (also Velvet Chollima). The actor spoofs security-software installation pages (nProtect Online Security and AhnLab Safe Transaction) to deliver nos-setup.exe and astx-setup.exe, which launch a MemLoader.dll payload via regsvr32.exe and establish persistence through scheduled tasks. A separate April campaign used a fake Cisco Webex page that prompted victims to run a script 'to fix camera access,' delivering an encrypted ZIP archive. Kimsuky's expanded toolset now includes the HTTPSpy variant, HelloDoor backdoor, and abuse of VS Code remote tunnels for C2.
- Check
- Hunt Windows endpoints for nos-setup.exe, astx-setup.exe, and MemLoader.dll loaded via regsvr32.exe. Audit scheduled tasks for unfamiliar persistence. Block VS Code Tunnels at egress where not needed.
- Affected
- South Korean military and corporate organizations - Kimsuky's primary targets. Messaging administrators were specifically singled out via spoofed B2B messaging-service installation pages.
- Fix
- Block known Kimsuky C2 and HTTPSpy IoCs published by ENKI. Restrict VS Code remote tunnels to allowlisted developer accounts. Train staff against fake security-software install prompts.