Latest Threats

Kimsuky (Velvet Chollima) PebbleDash Cluster — HelloDoor, httpMalice, httpTroy/MemLoad & VS Code Remote Tunnel Abuse Against South Korea — Threadlinqs Intelligence

Threat ID: TL-2026-0626 · Severity: HIGH · Status: ACTIVE · Category: MALWARE

Attribution: Kimsuky (Velvet Chollima) · North Korea · ESPIONAGE

North Korea-linked Kimsuky (Velvet Chollima / APT43) expanded its PebbleDash-based toolset against South Korean government, defense, and medical targets, fielding the Rust HelloDoor backdoor, the

Kaspersky's Securelist (Sojun Ryu, 14 May 2026) disclosed an expanded cluster of PebbleDash-based tooling that overlaps in targeting, infrastructure, and stolen code-signing certificates with the long-running AppleSeed cluster, leading analysts to assess with medium-to-high confidence that a single Kimsuky-affiliated actor controls both. Kimsuky (also tracked as APT43, Velvet Chollima, Ruby Sleet, Black Banshee, Sparkling Pisces, Springtail, and Cerium) is a North Korean state-sponsored espionage group; this activity targets South Korean government, defense, military, medical, machinery, and energy organizations, with secondary defense-sector victims observed in Brazil and Germany. A notable hallmark across several samples is the presence of code comments that appear to have been generated by a large language model, indicating LLM-assisted malware development. The PebbleDash cluster comprises three primary implants. HelloDoor is a Rust-based DLL backdoor first observed in August 2025 that communicates over HTTP through TryCloudflare quick tunnels (e.g. female-disorder-beta-metropolitan.trycloudflare.com), encrypts traffic with RC4 key "fwr3errsettwererfs", persists via HKCU Run values "tdll"/"install", and executes commands through "chcp 65001 > nul & cmd /U /C". httpMalice, the newest PebbleDash backdoor (December 2025 onward), ships in an HTTP variant (v1.9) and a Dropbox-API variant (v1.8), encrypts with ChaCha20 using pointer-derived randomized keys with an appended nonce, persists as the Windows service "CacheDB" (display name "Administrator") and HKCU Run values masquerading as "Everything 1.9a-[filesize]", and runs commands via "cmd.exe /c chcp 949". Its HTTP C2 hides inside compromised South Korean sites such as www.pyrotech.co.kr and newjo-imd.com. httpTroy is the primary long-term backdoor for access and exfiltration; it is delivered by the MemLoad reflective loader (V2/V3) which generates a system ID, drops flag files under C:\ProgramData, establishes scheduled-task persistence ("ChromeCheck" elevated / "EdgeCheck" non-elevated, each invoking regsvr32 every minute), and stores its payload in an NTFS Alternate Data Stream ([path]:HUI). MemLoad uses RC4 key "#RsfsetraW#@EsfesgsgAJOPj4eml;". The parallel AppleSeed cluster remains active. AppleSeed (v2.1, descended from the 2019 v3.0) ships Dropper and Spy variants that collect documents, screenshots, keystrokes, and USB device lists, and — critically — exfiltrate the C:\GPKI directory containing South Korean government digital certificates (GPKI), enabling impersonation of government identities. HappyDoor is an AppleSeed-derived backdoor sharing its string-obfuscation algorithm, data-collection routines, and RSA encryption. Both clusters share a multi-stage dropper chain: JScript (.JSE) droppers, the Reger dropper (.SCR, e.g. security_20260126.scr) using XOR/RC4 with key "#RsfsetraW#@EsfesgsgAJOPj4eml;", and the Pidoc dropper (.PIF) using single-byte XOR (0xFF). Droppers execute follow-on payloads via regsvr32.exe /s and rundll32.exe. For hands-on-keyboard access the operators lean heavily on legitimate remote-access software. They install Microsoft VS Code CLI (v1.106.2, fetched from the official Microsoft download CDN) via a Go-based installer ("vscode_payload", e.g. xipbkmaw.exe), run "code tunnel" with tunnel name "bizeugene", authenticate to GitHub through the device-code flow, capture the resulting login URL and device code to out.txt, and reach victims through https://vscode.dev/tunnel — blending C2 into trusted Microsoft and GitHub infrastructure. The installer reports tunnel URLs and heartbeats ("+++ I am started +++", "~~~ I am alive ~~~") to a Slack webhook and exfiltrates the tunnel link through a compromised site (www.yespp.co.kr). They also deploy the DWAgent RAT (relays node896147/node828765/node484265.dwservice.net, API key "kDRNGmWGTMpjQmREgQzU", installed from C:\programdata\dwagent ative\ via dwagsvc.exe installService/startService) and use Cloudf

MITRE ATT&CK Techniques

T1566.001 Phishing; T1059.003 Command and Scripting Interpreter; T1059.007 Command and Scripting Interpreter; T1053.005 Scheduled Task/Job; T1547.001 Boot or Logon Autostart Execution; T1543.003 Create or Modify System Process; T1053.005 Scheduled Task/Job; T1218.010 System Binary Proxy Execution; T1218.011 System Binary Proxy Execution; T1620 Reflective Code Loading; T1564.004 Hide Artifacts; T1027.013 Obfuscated Files or Information; T1056.001 Input Capture; T1649 Steal or Forge Authentication Certificates; T1082 System Information Discovery; T1120 Peripheral Device Discovery; T1005 Data from Local System; T1113 Screen Capture; T1071.001 Application Layer Protocol; T1573.001 Encrypted Channel; T1573.002 Encrypted Channel; T1102 Web Service; T1219 Remote Access Software; T1105 Ingress Tool Transfer; T1090 Proxy; T1041 Exfiltration Over C2 Channel; T1567.002 Exfiltration Over Web Service

Target sectors: government, defense, military, medical, machinery, energy

Target regions: South Korea, Brazil, Germany

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 63 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

MALWARE, HIGH, threat intelligence, cybersecurity, T1566.001, T1059.003, T1059.007, T1053.005, T1547.001, T1543.003, T1053.005, T1218.010, T1218.011, T1620

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison