INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

PebbleDash-based Malware Targets Organizations

| 2026-05-14 11:00 CRITICAL HIGH
JSON
Executive Summary AI-generated
Kimsuky's AppleSeed and PebbleDash malware clusters have been targeting various sectors in South Korea, including public and private entities, with a focus on government organizations. The groups' interest extends to defense, military, medical, and energy industries worldwide. These attacks often disguise themselves as legitimate sites or products, using digital certificates for authenticity. The threat actors continue to evolve their tactics, making analysis of malware clusters like AppleSeed and PebbleDash crucial in grasping the evolving nature of cyber threats.
Technical Mitigations AI-generated
• Use legitimate VSCode authentication methods, such as GitHub authentication. • Utilize DWAgent for remote monitoring and management of post-exploitation activities. • Employ a variety of droppers in different formats, including JSE, PIF, SCR, EXE, etc., from the PebbleDash cluster.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
KimsukyKimsukyLazarus GroupLazarus Group BabySharkBabySharkTroll StealerTroll StealerAppleSeedAppleSeed
Target & Sectors
DACH DACH defensedefense governmentgovernment energyenergy
Incident Timeline
‎at least 2019
Threat actors used custom-made PebbleDash-based tools to target organizations since at least 2019 by masquerading as legitimate documents and application installers.
‎2025/05/14
Threat actors used the JSE dropper to target Visual Studio Code.
threat_actor Kimsuky
VSCode (launched by the JSE dropper) Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim’s device, bypassing detection designed for traditional malware-based C2 channels (first described by Darktrace researchers ).
infrastructure Visual Studio Code
VSCode (launched by the JSE dropper) Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim’s device, bypassing detection designed for traditional malware-based C2 channels (first described by Darktrace researchers ).
organisation Darktrace
VSCode (launched by the JSE dropper) Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim’s device, bypassing detection designed for traditional malware-based C2 channels (first described by Darktrace researchers ).
‎early 2025
Threat actors used the httpMalice command to target organizations with PebbleDash-based tools.
general_metric 8 .
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 3 security_20260126.scr
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
infrastructure 0 Command Description
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
infrastructure 2 encoding Download
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
infrastructure 5 server
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 6 directory
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 7 current directory
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 9 Hibernate
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 10 Hibernate
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 12 ID
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
general_metric 13 Load
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
‎August 28, 2025
Threat actors used a PebbleDash-based tool to target organizations with Kimsuky malware.
observable hwpx.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable hwp.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 995a0a49ae4b244928b3f67e2bfd7a6e
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 52f1ff082e981cbdfd1f045c6021c63f
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
tactic T1588.001 - Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 1 Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 8 .
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 3 security_20260126.scr
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
‎August 2025
Kimsuky used the "msleep" command to sleep for a specified time.
threat_actor Kimsuky
HelloDoor: first Rust-based PebbleDash variant Written in Rust, a programming language rarely used by Kimsuky, HelloDoor is a DLL-based backdoor first identified in August 2025.
organisation DLL
HelloDoor: first Rust-based PebbleDash variant Written in Rust, a programming language rarely used by Kimsuky, HelloDoor is a DLL-based backdoor first identified in August 2025.
infrastructure Windows
HelloDoor establishes persistence upon execution by registering itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key with the value name tdll and the command regsvr32.exe /s
Before initiating communication, it generates a unique identifier by collecting device information, such as the MAC address, computer name, and the string “windows”, then computes a hash value from this information.
[the provided file path] command to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run autorun registry using the install value name [command] Execute the provided command using chcp 65001 > nul & cmd /U /C
organisation Register
Possible commands are: Command Description “mcd” Set the current directory “msleep” Sleep for the provided time “install” Register the regsvr32.exe /s
organisation MAC
Before initiating communication, it generates a unique identifier by collecting device information, such as the MAC address, computer name, and the string “windows”, then computes a hash value from this information.
organisation TryCloudflare
Nevertheless, it is noteworthy that HelloDoor employs a C2 server hosted through TryCloudflare, a temporary tunneling service provided by Cloudflare.
organisation Cloudflare
Nevertheless, it is noteworthy that HelloDoor employs a C2 server hosted through TryCloudflare, a temporary tunneling service provided by Cloudflare.
organisation LLM
This is a common trait of LLM services that provides users with better visibility.
‎December 14, 2025
Threat actors used a PebbleDash-based tool to target organizations with the HelloDoor malware.
observable hwpx.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable hwp.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 995a0a49ae4b244928b3f67e2bfd7a6e
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 52f1ff082e981cbdfd1f045c6021c63f
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
tactic T1588.001 - Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 1 Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 8 .
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 3 security_20260126.scr
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
‎no later than December 2025
The JSE Dropper, a known PebbleDash-based backdoor, was used to target organizations as early as no later than December 2025.
‎December 2025
The incident involves the use of a Reger Dropper and HappyDoor malware by Kimsuky to target organizations with PebbleDash-based tools.
threat_actor Kimsuky
[    {    "id" : "ND896147" ,    "port" : "443" ,    "server" : "node896147.dwservice[.]net"    } ,    {    "id" : "ND828765" ,    "port" : "443" ,    "server" : "node828765.dwservice[.]net"    } ,    {    "id" : "ND484265" ,    "port" : "443" ,    "server" : "node484265.dwservice[.]net"    } ] , "password" : "eJwrynEqD0r294twTXLKCHWqDPLPCql0Kg/JDqpIdk4HAKYMCso=" , "url_primary" : "hxxps://www.dwservice[.]net/" } Infrastructure For years, Kimsuky has relied heavily on the South Korea-based free domain hosting service 내도메인[.]한국 (pronounced as “naedomain[.]hankook) to mimic legitimate sites with domains like .p-e.kr, .o-r.kr, .n-e.kr, .r-e.kr, and .kro.kr.
Since its emergence, AppleSeed has been linked to Kimsuky operations, with each variant showing ties to the group.
Kimsuky leverages MemLoad to evade detection of its final backdoor and to carefully assess the value of targeted systems through anti-VM checks and reconnaissance.
Kimsuky is one of the threat actors that uses this tool in its operations.
It has also been noted that many other malicious actors have exploited this free domain hosting service, so it alone cannot be considered proof of a connection to Kimsuky.
Since 2021 , PebbleDash has been found exclusively in Kimsuky attacks.
Based on our analysis of targets, infrastructure, and malware characteristics, we assess with medium-high confidence that attacks associated with these malware families are conducted by Kimsuky-affiliated clusters.
These two clusters share technical links to the threat actor known as Ruby Sleet , one of the names Microsoft uses for Kimsuky activity.
In previous reports, Mandiant also referred to these clusters as Cerium , but now they appear to consider them part of the broader APT43 designation – another name for Kimsuky.
organisation GPKI
The AppleSeed cluster is shifting its focus to data exfiltration, and GPKI certificate extraction has become a signature capability.
infrastructure Windows
Gathering system details using PowerShell and Windows commands similar to those found in AppleSeed and Troll Stealer.
Unlike its predecessor, the HTTP variant employs HTTP/HTTPS protocols to interact with its C2 server and maintains persistent access to the victim device through a Windows service named CacheDB .
If the token is not elevated, the backdoor registers the same command under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name Everything 1.9a-[filesize] .
The latest version can execute a combination of Windows commands by default to perform host profiling, while the older version fetches the command set from Dropbox.
Windows commands used to gather system details httpMalice transmits the result of host profiling to its C2 server as a URL parameter, using the POST method over the HTTP/HTTPS protocol, with the header x-www-form-urlencoded .
The choice of symbol is determined by attempting to create a random file in the C:\Windows\system32 directory.
infrastructure 3.0
AppleSeed AppleSeed first appeared in 2019 and reached version 3.0.
organisation a7f0a18ac87e982d6f32f7a715e12532
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation f4465403f9693939fe9c439f0ab33610
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation 서류.hwpx.jse
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation VSCode Tunnel
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation IPs
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation hxxp://newjo-imd[.]com
시행규칙).hwp.jse 52f1ff082e981cbdfd1f045c6021c63f              2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse 9fe43e08c8f446554340f972dac8a68c           2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse 8e15c4d4f71bdd9dbc48cd2cabc87806          노현정님.pdf.jse Reger Dropper 65fc9f06de5603e2c1af9b4f288bb22c                        security_20260126.scr c19aeaedbbfc4e029f7e9bdface495b9                       secu.scr Pidoc Dropper 8983ffa6da23e0b99ccc58c17b9788c7                       대국민서비스관리운영체계_현장점검_증적(초안).pif AppleSeed (Dropper) a7f0a18ac87e982d6f32f7a715e12532 f4465403f9693939fe9c439f0ab33610 5c373c2116ab4a615e622f577e22e9be HappyDoor d1ec20144c83bba921243e72c517da5e MemLoad 58ac2f65e335922be3f60e57099dc8a3 f73ba062116ea9f37d072aa41c7f5108           jhsakqvv.dat httpTroy 7e0825019d0de0c1c4a1673f94043ddb         c:\programdata\config.db httpMalice 08160acf08fccecde7b34090db18b321 94faed9af49c98a89c8acc55e97276c9 HelloDoor c42ae004badddd3017adadbdd1421e00 VSCode Tunnel installer 9ca5f93a732f404bbb2cee848f5bbda0                       xipbkmaw.exe DWAgent installer 678fb1a87af525c33ba2492552d5c0e2 Domains and IPs opedromos1.r-e[.]kr                             C2 of AppleSeed morames.r-e[.]kr                                  C2 of AppleSeed load.ssangyongcne.o-r[.]kr                  C2 of MemLoad load.yju.o-r[.]kr                                    C2 of MemLoad attach.docucloud.o-r[.]kr                     C2 of MemLoad load.supershop.o-r[.]kr                        C2 of MemLoad load.erasecloud.n-e[.]kr                      C2 of MemLoad cms.spaceyou.o-r[.]kr                          C2 of HappyDoor erp.spaceme.p-e[.]kr                           C2 of HappyDoor file.bigcloud.n-e[.]kr                             C2 of httpTroy load.auraria[.]org                                 C2 of httpTroy female-disorder-beta-metropolitan.trycloudflare[.]com          C2 of HelloDoor hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php       C2 of httpMalice hxxp://newjo-imd[.]com/common/include/library/default.php             C2 of httpMalice hxxps://www.yespp.co[.]kr/common/include/code/out.php                VSCode Tunneling using JScript
organisation HappyDoor HappyDoor
HappyDoor HappyDoor, an AppleSeed-based backdoor malware disclosed by AhnLab in 2024, is less visible than AppleSeed.
organisation backdoor malware
HappyDoor HappyDoor, an AppleSeed-based backdoor malware disclosed by AhnLab in 2024, is less visible than AppleSeed.
organisation AhnLab
HappyDoor HappyDoor, an AppleSeed-based backdoor malware disclosed by AhnLab in 2024, is less visible than AppleSeed.
organisation RSA
HappyDoor shares several features with AppleSeed, including the same string obfuscation algorithm, the data types it collects, and the use of RSA encryption.
organisation InterServer
This service has been utilized to create C2 servers for PebbleDash and AppleSeed clusters, and the background infrastructures have been mostly resolved to the virtual private servers belonging to InterServer.
infrastructure Visual Studio Code
In these attacks, instead of dropping malware, the JSE dropper downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device.
The attacker authorizes Visual Studio Code with the logged-in GitHub account using the printed code.
organisation CLI
In these attacks, instead of dropping malware, the JSE dropper downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device.
organisation File
Indicators of compromise File hashes JSE Dropper 995a0a49ae4b244928b3f67e2bfd7a6e          [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법
infrastructure 0 Command Description
Value of elevation status Description 0 Running under the SYSTEM account with an elevated token 1 Running under an elevated administrator account 2 Running without elevation Depending on the token privilege, the backdoor then establishes persistence by either creating a service or registering itself to autostart at user logon.
infrastructure 1 type Download source
The operation mode, or parameter m , supports the following values: Value Description 1 Send the session identifier (parameter s ) along with the current state (parameter a ) 2 Request command 3 Send result after executing the command (parameter d ) 8 Request directory to be archived and sent 9 Send the archived directory 10 Send a message like “.cmd” or “.tmp” (parameter d ) 11 Send ping 12 Send the captured screenshot (parameter d ) 13 Send the infected device information (parameter d )
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
organisation POST
Windows commands used to gather system details httpMalice transmits the result of host profiling to its C2 server as a URL parameter, using the POST method over the HTTP/HTTPS protocol, with the header x-www-form-urlencoded .
infrastructure 2.1
A notable change in version 2.1 is the inclusion, since 2022, of collecting the C:\GPKI directory – functionality that is also implemented in Troll Stealer.
However, we now only see version 2.1.
infrastructure 1.9
Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox.
infrastructure 1.8
Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox.
organisation Dropbox
Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox.
organisation /c chcp 949
In httpMalice, commands are mostly executed using the format cmd.exe /c chcp 949
infrastructure 1.106.3
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
infrastructure 1.106.2
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
organisation Installer
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
organisation ZIP
x C:\programdata\1.zip C:\programdata\ to extract the contents of the ZIP file.
organisation SID
The following shared characteristics have been identified: (PebbleDash cluster) Ability to run commands received from the C2 server with the S-1-12-12288 SID, indicating a high integrity level – a feature also observed in PebbleDash and httpTroy.
financial 12288 S-1 SID
The following shared characteristics have been identified: (PebbleDash cluster) Ability to run commands received from the C2 server with the S-1-12-12288 SID, indicating a high integrity level – a feature also observed in PebbleDash and httpTroy.
organisation API
The latter, the older variant, leverages the Dropbox API by utilizing pre-defined application credentials.
organisation IP
This mirrors tactics observed in similar threats, such as httpSpy. The more recent variant gathers critical information from the compromised system, such as the current directory path, volume serial numbers, user privileges, username, local IP address, and the name and size of the currently executed httpMalice DLL file.
organisation UID
The URL includes two or three parameters: operation mode, unique identifier (referred to as UID), and data.
organisation ChromeCheck
If elevated, the task is named ChromeCheck , and the command schtasks / create / tn < task name > /
organisation JSE Dropper
It is mostly delivered through JSE Dropper.
organisation Spy
The Dropper variant is responsible for downloading additional malware and executing commands received from its C2 server, while the Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.
organisation USB
The Dropper variant is responsible for downloading additional malware and executing commands received from its C2 server, while the Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.
organisation DWAgent
Post-exploitation We observed interesting post-exploitation activities involving VSCode and DWAgent.
organisation Microsoft
The Remote Tunneling feature in VSCode supports establishing a tunnel using either a Microsoft or GitHub account.
organisation GitHub
The Remote Tunneling feature in VSCode supports establishing a tunnel using either a Microsoft or GitHub account.
organisation the VSCode CLI
It includes features that are nearly identical to those of the previous version, such as downloading, unarchiving, and executing the VSCode CLI.
organisation Microsoft Account
Searches for the “Microsoft Account” string in the stdout. Sends the 0x1B 0x5B
organisation VSCode CLI
Creating a tunnel using VSCode CLI Once the process is complete, the attacker can access the targeted host through the tunnel on their remote machine using their GitHub account via a browser or VSCode.
organisation Slack
An interesting feature of this variant is that it sends debugging messages and necessary values to a Slack channel via a WebHook.
organisation the Reger Dropper
This installer is very similar to the Reger Dropper.
organisation Target
[ Target ' s name ] [ Description ] [ Infection date ] 장악 , http 있음 , DWService 있음 .
‎January 26, 2026
Threat actors used security_20260126.scr to target individuals and organizations with PebbleDash-based tools.
observable hwpx.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable hwp.jse
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 995a0a49ae4b244928b3f67e2bfd7a6e
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
observable 52f1ff082e981cbdfd1f045c6021c63f
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
tactic T1588.001 - Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 1 Malware
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 8 .
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
general_metric 3 security_20260126.scr
Detection date MD5 Malware deployed 1 [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse Appendix Form No. 8 – Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse August 28, 2025 995a0a49ae4b244928b3f67e2bfd7a6e HelloDoor 2 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse Documents for the Selection of Commissioned Students for Domestic Graduate School Master’s Evening Programs (H1 2026).hwpx.jse December 14, 2025 52f1ff082e981cbdfd1f045c6021c63f httpMalice 3 security_20260126.scr – January 26, 2026
‎January 28, 2026
Threat actors used Pidoc Dropper and HappyDoor to target AppleSeed chain.
malware AppleSeed
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable pdf.jse
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 노현정님.pdf
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable Hyun-jung.pdf
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 8e15c4d4f71bdd9dbc48cd2cabc87806
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 65fc9f06de5603e2c1af9b4f288bb22c
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 8983ffa6da23e0b99ccc58c17b9788c7
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
organisation MemLoad
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
organisation the Public Service Management System
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
general_metric 4 노현정님.pdf.jse
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
general_metric 5 대국민서비스관리운영체계현장점검증적(초안).pif Inspection Evidence
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
‎February 5, 2026
The malware targets organizations using PebbleDash-based tools, ultimately executing the malicious payload via command-line instructions such as regsvr32.exe /s 65fc9f06de5603e2c1af9b4f288bb22c.
malware AppleSeed
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable pdf.jse
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 노현정님.pdf
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable Hyun-jung.pdf
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 8e15c4d4f71bdd9dbc48cd2cabc87806
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 65fc9f06de5603e2c1af9b4f288bb22c
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
observable 8983ffa6da23e0b99ccc58c17b9788c7
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
organisation MemLoad
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
organisation the Public Service Management System
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
general_metric 4 노현정님.pdf.jse
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
general_metric 5 대국민서비스관리운영체계현장점검증적(초안).pif Inspection Evidence
65fc9f06de5603e2c1af9b4f288bb22c Reger Dropper, MemLoad, httpTroy 4 노현정님.pdf.jse Ms. Noh Hyun-jung.pdf.jse January 28, 2026 8e15c4d4f71bdd9dbc48cd2cabc87806 AppleSeed chain 5 대국민서비스관리운영체계현장점검증적(초안).pif On-site Inspection Evidence for the Public Service Management System (Draft).pif February 5, 2026 8983ffa6da23e0b99ccc58c17b9788c7 Pidoc Dropper, HappyDoor JSE droppers contain a minimum of two Base64-encoded blobs:
threat_actor Kimsuky
In addition to these droppers, Kimsuky employed a variety of executable droppers, including those crafted in Go or packaged with Inno Setup.
organisation JScript
The two blobs are decoded using JScript and stored in an arbitrary location on disk, such as C:\ProgramData , with the malicious filenames randomly generated according to the scheme
organisation XOR
[file path] [export function] . Reger Dropper (.SCR) and Pidoc Dropper (.PIF) also contain benign lure files and malicious payloads that, in both cases, are encrypted using XOR operations.
organisation Pidoc Dropper
Specifically, Reger Dropper employs a hard-coded key #RsfsetraW#@EsfesgsgAJOPj4eml; , while Pidoc Dropper utilizes single-byte XOR with 0xFF to decrypt the internal data for execution.
organisation Deployed
Deployed malware In this section, we describe several malware families recently dropped by the droppers discussed above.
‎2026/05/14
Kimsuky targets organizations with PebbleDash-based tools.
threat_actor Kimsuky
Kimsuky mainly targets South Korean entities.
The PebbleDash and AppleSeed clusters are considered the most technically advanced in Kimsuky’s toolset.
Executive summary Kimsuky obtains initial access to target systems by delivering spear-phishing emails containing malicious attachments disguised as documents.
Initial access Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments.
For post-exploitation activities Kimsuky uses legitimate tools Visual Studio Code (VSCode) and DWAgent.
Kimsuky targets organizations with PebbleDash-based tools.
Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor.
Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021.
Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities.
Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
Background First identified by Kaspersky in 2013, Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
Background First identified by Kaspersky in 2013 , Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
organisation RandomQuery
The group’s arsenal includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT.
organisation TutRAT
The group’s arsenal includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT.
infrastructure Visual Studio Code
For post-exploitation activities Kimsuky uses legitimate tools Visual Studio Code (VSCode) and DWAgent.
organisation PebbleDash
Kimsuky targets organizations with PebbleDash-based tools.
organisation Black Banshee
Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor.
threat_actor Lazarus Group
Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021.
organisation Specifically,
Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities.
organisation VSCode
Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities.
organisation JSE
Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
organisation PIF
Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
organisation SCR
Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
organisation EXE
Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
organisation Kaspersky
Background First identified by Kaspersky in 2013, Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
Background First identified by Kaspersky in 2013 , Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
organisation APT
Background First identified by Kaspersky in 2013, Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
Background First identified by Kaspersky in 2013 , Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups.
organisation VSCode Tunneling
Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language.
organisation Cloudflare Quick Tunnels
Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language.
organisation HelloDoor
HelloDoor, httpMalice, MemLoad, httpTroy.
Tactical Metrics
Metrics
infrastructure
‎Visual Studio Code
Affected Product
For post-exploitation activities Kimsuky uses legitimate tools Visual Studio Code (VSCode) and DWAgent.
VSCode (launched by the JSE dropper) Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim’s device, bypassing detection designed for traditional malware-based C2 channels (first described by Darktrace researchers ).
In these attacks, instead of dropping malware, the JSE dropper downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device.
The attacker authorizes Visual Studio Code with the logged-in GitHub account using the printed code.
Metrics
infrastructure
‎Windows
Affected Product
HelloDoor establishes persistence upon execution by registering itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key with the value name tdll and the command regsvr32.exe /s
Before initiating communication, it generates a unique identifier by collecting device information, such as the MAC address, computer name, and the string “windows”, then computes a hash value from this information.
[the provided file path] command to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run autorun registry using the install value name [command] Execute the provided command using chcp 65001 > nul & cmd /U /C
Gathering system details using PowerShell and Windows commands similar to those found in AppleSeed and Troll Stealer.
Unlike its predecessor, the HTTP variant employs HTTP/HTTPS protocols to interact with its C2 server and maintains persistent access to the victim device through a Windows service named CacheDB .
If the token is not elevated, the backdoor registers the same command under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name Everything 1.9a-[filesize] .
The latest version can execute a combination of Windows commands by default to perform host profiling, while the older version fetches the command set from Dropbox.
Windows commands used to gather system details httpMalice transmits the result of host profiling to its C2 server as a URL parameter, using the POST method over the HTTP/HTTPS protocol, with the header x-www-form-urlencoded .
The choice of symbol is determined by attempting to create a random file in the C:\Windows\system32 directory.
Metrics
infrastructure
‎1.9
Software Version
Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox.
Metrics
infrastructure
‎1.8
Software Version
Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox.
Metrics
infrastructure
‎3.0
Software Version
AppleSeed AppleSeed first appeared in 2019 and reached version 3.0.
Metrics
infrastructure
‎2.1
Software Version
However, we now only see version 2.1.
A notable change in version 2.1 is the inclusion, since 2022, of collecting the C:\GPKI directory – functionality that is also implemented in Troll Stealer.
Metrics
infrastructure
‎1.106.3
Software Version
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
Metrics
infrastructure
‎1.106.2
Software Version
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
Metrics
infrastructure
1
Type Download Source
Number Installer type VSCode version Download source 1 Written in JScript VSCode CLI 1.106.3 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ bf9252a2fb45be6893dd8870c0bf37e2e1766d61 /vscode_cli_win32_x64_cli[.]zip 2 Written in Go VSCode CLI 1.106.2 hxxps://vscode.download.prss.microsoft[.]com/dbazure/download/stable/ 1e3c50d64110be466c0b4a45222e81d2c9352888 /vscode_cli_win32_x64_cli[.]zip After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.
The operation mode, or parameter m , supports the following values: Value Description 1 Send the session identifier (parameter s ) along with the current state (parameter a ) 2 Request command 3 Send result after executing the command (parameter d ) 8 Request directory to be archived and sent 9 Send the archived directory 10 Send a message like “.cmd” or “.tmp” (parameter d ) 11 Send ping 12 Send the captured screenshot (parameter d ) 13 Send the infected device information (parameter d )
Metrics
financial
12,288
S-1 Sid
The following shared characteristics have been identified: (PebbleDash cluster) Ability to run commands received from the C2 server with the S-1-12-12288 SID, indicating a high integrity level – a feature also observed in PebbleDash and httpTroy.
Metrics
infrastructure
0
Command Description
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
Value of elevation status Description 0 Running under the SYSTEM account with an elevated token 1 Running under an elevated administrator account 2 Running without elevation Depending on the token privilege, the backdoor then establishes persistence by either creating a service or registering itself to autostart at user logon.
Metrics
infrastructure
2
Encoding Download
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
Metrics
infrastructure
5
Server
The commands supported by httpMalice are as follows: Command Description 0 Do nothing 1 Execute the command with EUC-KR encoding 2 Download and extract the file to the infected device 3 Upload a directory to the C2 server after it has been archived 5 Get the current directory 6 Set the current directory 7 Execute the command without setting a EUC-KR character set 8 Remove its persistence traces and exit the process 9 Hibernate 10 Execute the command using the provided session ID 12 Capture the screen 13 Load the downloaded payload into memory MemLoad downloads httpTroy Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September.
Intelligence Sources
Kaspersky 2026-05-14
Kaspersky 2026-05-14