Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: north-korea-apt (2 articles)Clear

Kimsuky (Velvet Chollima) targets South Korean military and corporate orgs with HTTPSpy, HelloDoor, and VS Code Tunnels backdoor

ENKI has attributed fresh attacks on South Korean military and corporate entities through March-April 2026 to the North Korean state-sponsored Kimsuky group (also Velvet Chollima). The actor spoofs security-software installation pages (nProtect Online Security and AhnLab Safe Transaction) to deliver nos-setup.exe and astx-setup.exe, which launch a MemLoader.dll payload via regsvr32.exe and establish persistence through scheduled tasks. A separate April campaign used a fake Cisco Webex page that prompted victims to run a script 'to fix camera access,' delivering an encrypted ZIP archive. Kimsuky's expanded toolset now includes the HTTPSpy variant, HelloDoor backdoor, and abuse of VS Code remote tunnels for C2.

Check
Hunt Windows endpoints for nos-setup.exe, astx-setup.exe, and MemLoader.dll loaded via regsvr32.exe. Audit scheduled tasks for unfamiliar persistence. Block VS Code Tunnels at egress where not needed.
Affected
South Korean military and corporate organizations - Kimsuky's primary targets. Messaging administrators were specifically singled out via spoofed B2B messaging-service installation pages.
Fix
Block known Kimsuky C2 and HTTPSpy IoCs published by ENKI. Restrict VS Code remote tunnels to allowlisted developer accounts. Train staff against fake security-software install prompts.

Lazarus RemotePE memory-only RAT targets DeFi and crypto firms - DPAPILoader + RemotePELoader chain, Hell's Gate, ETW patching

NCC Group's Fox-IT has documented RemotePE, a previously private cross-platform RAT used by the North Korea-linked Lazarus Group against DeFi, financial, and cryptocurrency organizations. The chain starts with social engineering on Telegram (impersonating a trading-firm employee with fake Calendly and Picktime meeting links), then drops DPAPILoader (Iassvc.dll) which uses Windows DPAPI to decrypt RemotePELoader. That loader fetches RemotePE entirely in memory from aes-secure[.]net, evading EDR via Hell's Gate and ETW patching. RemotePE itself is a C++ RAT supporting six command categories. Fox-IT believes the toolset is reserved for high-value, long-dwell access leading to large-scale financial theft. Activity dates from mid-2023.

Check
Hunt for Iassvc.dll on Windows endpoints (especially DeFi-adjacent developer machines). Search EDR for outbound traffic to aes-secure[.]net. Review Telegram and Calendly social-engineering reports from your finance and crypto teams.
Affected
Financial-services, DeFi, and crypto firms - Lazarus' primary targets. Initial access via Telegram impersonation of trading-firm employees and fake Calendly / Picktime meeting links.
Fix
Block aes-secure[.]net at egress. Train finance and developer teams against Telegram-initiated meeting requests with crypto/trading themes. Deploy EDR rules detecting Hell's Gate syscall patterns and ETW patching.