← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
WHITE Kimsuky AlienVault 2026-05-29 Modified: 2026-05-29
58
IOCs
HIGH VOLUME
Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threat actor introduced a novel JSONPing technique allowing distribution pages to verify in real time whether victims executed the payload via JSONP queries to localhost servers. Analysis revealed a new HttpSpy variant with a three-stage execution chain replacing the previous single-binary architecture, utilizing RC4 encryption and shared infrastructure indicators. Attribution was confirmed through code pattern overlaps, reused encryption keys, XAMPP certificate fingerprints, and preferred ASN usage consistent with historical Kimsuky operations targeting South Korea.
spear phishinghttpspywebex spoofingloaddll.dllsouth korea targetingmemloaderjsonpingcalc.exesocial engineeringkimsukyspyloader.dllratspyinster.dll
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
HttpSpy MemLoader calc.exe spyInster.dll spyLoader.dll loadDll.dll
Indicators of Compromise (23 / 58 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://appview.imagetemplate.com/gateless_icon 2026-05-29
URL http://bigfile.jaycloudlab.com/download.php?id=745896 2026-05-29
URL http://download.birdriver.org/download.php?id=393156 2026-05-29
URL http://hdrgdrfes.chickenkiller.com/index.php 2026-05-29
URL http://load.erasecloud.n-e.kr/login.php 2026-05-29
URL http://load.serverpit.com/fwrite.php 2026-05-29
URL http://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless 2026-05-29
URL http://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=gateless 2026-05-29
URL http://www.ibizplus.n-e.kr/download.php?id=30382119 2026-05-29
URL http://www.ibizplus.n-e.kr/download.php?id=30382120 2026-05-29
URL http://www.ibizplus.n-e.kr/download.php?id=30382121 2026-05-29
URL https://appview.imagetemplate.com/babymetalsave_icon 2026-05-29
URL https://appview.imagetemplate.com/gateless_icon 2026-05-29
URL https://bigfile.crabdance.com/recaptcha.html 2026-05-29
URL https://conference.birdriver.org/ 2026-05-29
URL https://download.birdriver.org/download.php?id=393156 2026-05-29
URL https://download.birdriver.org/download.php?id=425623 2026-05-29
URL https://load.erasecloud.n-e.kr/login.php 2026-05-29
URL https://load.serverpit.com/fwrite.php 2026-05-29
URL https://pipeline.embeddedonline.org/check.php?x-csrf-token=babymetalsave 2026-05-29
URL https://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless 2026-05-29
URL https://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=babymetalsave 2026-05-29
URL https://www.ibizplus.n-e.kr/install.html 2026-05-29
References (1)
↗ https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant