{ "type": "MD5", "indicator": "a87cd5fd8fe223816005e81e0da70b21", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "a87cd5fd8fe223816005e81e0da70b21", "validation": [], "base_indicator": { "id": 4383617971, "indicator": "a87cd5fd8fe223816005e81e0da70b21", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a19766cc7caf96e27eae35e", "name": "Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant", "description": "Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threat actor introduced a novel JSONPing technique allowing distribution pages to verify in real time whether victims executed the payload via JSONP queries to localhost servers. Analysis revealed a new HttpSpy variant with a three-stage execution chain replacing the previous single-binary architecture, utilizing RC4 encryption and shared infrastructure indicators. Attribution was confirmed through code pattern overlaps, reused encryption keys, XAMPP certificate fingerprints, and preferred ASN usage consistent with historical Kimsuky operations targeting South Korea.", "modified": "2026-05-29T12:34:19.341000", "created": "2026-05-29T11:20:12.463000", "tags": [ "spear phishing", "httpspy", "webex spoofing", "loaddll.dll", "south korea targeting", "memloader", "jsonping", "calc.exe", "social engineering", "kimsuky", "spyloader.dll", "rat", "spyinster.dll" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HttpSpy", "display_name": "HttpSpy", "target": null }, { "id": "MemLoader", "display_name": "MemLoader", "target": null }, { "id": "calc.exe", "display_name": "calc.exe", "target": null }, { "id": "spyInster.dll", "display_name": "spyInster.dll", "target": null }, { "id": "spyLoader.dll", "display_name": "spyLoader.dll", "target": null }, { "id": "loadDll.dll", "display_name": "loadDll.dll", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 2, "URL": 23, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [ "Spyloader.dll", "Httpspy", "Calc.exe", "Spyinster.dll", "Memloader", "Loaddll.dll" ], "industries": [ "Finance", "Defense" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a19766cc7caf96e27eae35e", "name": "Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant", "description": "Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threat actor introduced a novel JSONPing technique allowing distribution pages to verify in real time whether victims executed the payload via JSONP queries to localhost servers. Analysis revealed a new HttpSpy variant with a three-stage execution chain replacing the previous single-binary architecture, utilizing RC4 encryption and shared infrastructure indicators. Attribution was confirmed through code pattern overlaps, reused encryption keys, XAMPP certificate fingerprints, and preferred ASN usage consistent with historical Kimsuky operations targeting South Korea.", "modified": "2026-05-29T12:34:19.341000", "created": "2026-05-29T11:20:12.463000", "tags": [ "spear phishing", "httpspy", "webex spoofing", "loaddll.dll", "south korea targeting", "memloader", "jsonping", "calc.exe", "social engineering", "kimsuky", "spyloader.dll", "rat", "spyinster.dll" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HttpSpy", "display_name": "HttpSpy", "target": null }, { "id": "MemLoader", "display_name": "MemLoader", "target": null }, { "id": "calc.exe", "display_name": "calc.exe", "target": null }, { "id": "spyInster.dll", "display_name": "spyInster.dll", "target": null }, { "id": "spyLoader.dll", "display_name": "spyLoader.dll", "target": null }, { "id": "loadDll.dll", "display_name": "loadDll.dll", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 2, "URL": 23, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a87cd5fd8fe223816005e81e0da70b21", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a87cd5fd8fe223816005e81e0da70b21", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780169907.853176 }