← Back to Pulse Feed
PULSE DETAIL
Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
HelloDoor
httpMalice
MemLoad
httpTroy
AppleSeed - S0622
HappyDoor
BabyShark - S0414
RandomQuery
xRAT
XenoRAT
TutRAT
httpSpy
Troll Stealer
ValleyRAT
CoolClient
ZiChatBot
Indicators of Compromise (19 / 50 total)