Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kimsuky HttpTroy backdoor activity against South Korean users

Malware Activity
First reported
Last updated
Happening score
H score 23
2 unique sources, 2 articles

Summary

Hide ▲

Kimsuky has been tied to fresh March and April 2026 campaigns against South Korean military and corporate entities, using fake security-software pages and a counterfeit Webex page to deliver HTTPSpy and related loaders. The activity used nos-setup.exe, astx-setup.exe, MemLoader.dll, fix-camera.jse, mTSTCv8.mdxm, and cacheMon.dat to establish persistence, run PowerShell and regsvr32.exe chains, and fetch later-stage malware from C2 servers. ENKI also described JSONPing infection verification, while Kaspersky said Kimsuky additionally abused VS Code tunneling and DWAgent across overlapping sectors.

Related Happenings

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

SprySOCKS Windows backdoor activity against government organizations

Malware Activity
H score23 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
H score31 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...

Timeline

  1. 05.11.2025 04:00 3 articles · 8mo ago

    Kimsuky deploys HttpTroy backdoor against South Korean users

    Initial Disclosure

    North Korean threat group Kimsuky deploys HttpTroy as the final stage of a multi-step infection chain against South Korean users, using a ZIP archive with a Microsoft Windows screensaver (.scr) file and the MemLoad loader to launch a backdoor that can move files, take screenshots, and execute commands while encrypting communications, obfuscating payloads, and running code in memory.

    Show sources