Kimsuky March-April 2026 campaign against South Korean military and corporate entities
Campaign
Summary
Hide ▲
Show ▼
The Kimsuky campaign ran through March and April 2026, using spoofed security-installation pages and a fake Webex lure against South Korean military and corporate entities, raising the risk of remote compromise and staged payload delivery.
Related Happenings
South Korean financial-sector data leak in Qilin's Korean Leaks operation
Data Leak
First: 26.11.2025 16:31
Last: 26.11.2025 16:31
Sources 1
About this happening:
The **Qilin** leak site published stolen data from **28 victims** in **South Korea's financial sector**, exposing more than **1 million files** and **2 TB** of data. The disclosur...
South Korean financial-sector data leak in Qilin's Korean Leaks operation
Data LeakAbout this happening: The **Qilin** leak site published stolen data from **28 victims** in **South Korea's financial sector**, exposing more than **1 million files** and **2 TB** of data. The disclosur...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
Campaign
First: 11.11.2025 13:40
Last: 11.11.2025 13:40
Sources 1
About this happening:
A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
CampaignAbout this happening: A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
KONNI KakaoTalk and Google Find Hub Android-wiping campaign
Campaign
First: 11.11.2025 02:46
Last: 11.11.2025 02:46
Sources 1
About this happening:
The **KONNI** operation is actively combining **KakaoTalk spear-phishing** with **Google Find Hub** abuse to track targets and remotely wipe **Android devices**, raising data-loss...
KONNI KakaoTalk and Google Find Hub Android-wiping campaign
CampaignAbout this happening: The **KONNI** operation is actively combining **KakaoTalk spear-phishing** with **Google Find Hub** abuse to track targets and remotely wipe **Android devices**, raising data-loss...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware Activity
First: 05.11.2025 04:00
Last: 05.11.2025 04:00
Sources 1
How related:
HttpTroy, a backdoor delivered via a loader named MemLoad, allows file upload/download, screenshot capture, command execution, in-memory loading of executables, reverse shell, process termination, and trace removal.
About this happening:
**Kimsuky** has been tied to fresh **March and April 2026** campaigns against **South Korean military and corporate entities**, using **fake security-software pages** and a **coun...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware ActivityHow related: HttpTroy, a backdoor delivered via a loader named MemLoad, allows file upload/download, screenshot capture, command execution, in-memory loading of executables, reverse shell, process termination, and trace removal.
About this happening: **Kimsuky** has been tied to fresh **March and April 2026** campaigns against **South Korean military and corporate entities**, using **fake security-software pages** and a **coun...
South Korea travel ban and delegation over Cambodia scam centers
Public Sector Action
First: 20.10.2025 21:58
Last: 20.10.2025 21:58
Sources 1
About this happening:
South Korean authorities imposed a **travel ban on parts of Cambodia** and sent a **government delegation** to address scam centers affecting **about 1,000 South Koreans**. The mo...
South Korea travel ban and delegation over Cambodia scam centers
Public Sector ActionAbout this happening: South Korean authorities imposed a **travel ban on parts of Cambodia** and sent a **government delegation** to address scam centers affecting **about 1,000 South Koreans**. The mo...
Timeline
-
29.05.2026 08:57 2 articles · 9h ago
Initial report: Kimsuky March-April 2026 campaign against South Korean military and corporate entities
Initial DisclosureIn **March 2026**, a bogus security-software page impersonating a **South Korean B2B messaging service** delivered **nos-setup.exe** and **astx-setup.exe**, likely to identify and infect corporate messaging administrators.
Show sources
- Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels — thehackernews.com — 29.05.2026 08:57
- Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels — thehackernews.com — 29.05.2026 08:57