Kimsuky HttpTroy backdoor activity against South Korean users
Malware Activity
Summary
Hide ▲
Show ▼
Kimsuky has been tied to fresh March and April 2026 campaigns against South Korean military and corporate entities, using fake security-software pages and a counterfeit Webex page to deliver HTTPSpy and related loaders. The activity used nos-setup.exe, astx-setup.exe, MemLoader.dll, fix-camera.jse, mTSTCv8.mdxm, and cacheMon.dat to establish persistence, run PowerShell and regsvr32.exe chains, and fetch later-stage malware from C2 servers. ENKI also described JSONPing infection verification, while Kaspersky said Kimsuky additionally abused VS Code tunneling and DWAgent across overlapping sectors.
Related Happenings
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
SPECTRALVIPER DLL sideloading backdoor activity
Malware Activity
H score31
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
SPECTRALVIPER DLL sideloading backdoor activity
Malware ActivityAbout this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
Timeline
-
05.11.2025 04:00 3 articles · 8mo ago
Kimsuky deploys HttpTroy backdoor against South Korean users
Initial DisclosureNorth Korean threat group Kimsuky deploys HttpTroy as the final stage of a multi-step infection chain against South Korean users, using a ZIP archive with a Microsoft Windows screensaver (.scr) file and the MemLoad loader to launch a backdoor that can move files, take screenshots, and execute commands while encrypting communications, obfuscating payloads, and running code in memory.
Show sources
- Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users — www.darkreading.com — 05.11.2025 04:00
- Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users — www.darkreading.com — 05.11.2025 04:00
- Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels — thehackernews.com — 29.05.2026 08:57