Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: south-korea (3 articles)Clear

Kimsuky (Velvet Chollima) targets South Korean military and corporate orgs with HTTPSpy, HelloDoor, and VS Code Tunnels backdoor

ENKI has attributed fresh attacks on South Korean military and corporate entities through March-April 2026 to the North Korean state-sponsored Kimsuky group (also Velvet Chollima). The actor spoofs security-software installation pages (nProtect Online Security and AhnLab Safe Transaction) to deliver nos-setup.exe and astx-setup.exe, which launch a MemLoader.dll payload via regsvr32.exe and establish persistence through scheduled tasks. A separate April campaign used a fake Cisco Webex page that prompted victims to run a script 'to fix camera access,' delivering an encrypted ZIP archive. Kimsuky's expanded toolset now includes the HTTPSpy variant, HelloDoor backdoor, and abuse of VS Code remote tunnels for C2.

Check
Hunt Windows endpoints for nos-setup.exe, astx-setup.exe, and MemLoader.dll loaded via regsvr32.exe. Audit scheduled tasks for unfamiliar persistence. Block VS Code Tunnels at egress where not needed.
Affected
South Korean military and corporate organizations - Kimsuky's primary targets. Messaging administrators were specifically singled out via spoofed B2B messaging-service installation pages.
Fix
Block known Kimsuky C2 and HTTPSpy IoCs published by ENKI. Restrict VS Code remote tunnels to allowlisted developer accounts. Train staff against fake security-software install prompts.

Iran-linked MuddyWater (Seedworm) spent a week inside a major South Korean electronics maker - DLL sideloading off Fortemedia audio and SentinelOne binaries, ChromElevator credential theft

Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.

Check
Hunt endpoints for fmapp.exe or sentinelmemoryscanner.exe loading non-standard DLLs, search proxy and DNS logs for connections to sendit[.]sh from non-IT users, and review Chrome profile access patterns from sideloaded DLL contexts.
Affected
High-tech manufacturing, electronics, industrial firms, financial services, and government agencies with intellectual-property or downstream-customer value to Iran. Operations in Asia and the Middle East are most exposed, but victims span four continents.
Fix
Add detection rules for fmapp.dll and sentinelagentcore.dll in unexpected paths, block sendit[.]sh outbound where it has no business need, watch for unusual Node.js process trees spawning cmd.exe, and review LSASS access events around the 90-second beaconing window.

Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

Check
Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.
Affected
Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.
Fix
Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).