Skip to content
.ca
sign in
9 minhigh

Kimsuky targets organizations with PebbleDash-based tools

Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.

Conf:highAnalyzed:2026-05-14Google

Authors: Sojun Ryu

ActorsKimsukyAPT43Ruby SleetBlack BansheeSparkling PiscesVelvet ChollimaSpringtailCeriumLazarus GroupPebbleDashAppleSeedBabySharkRandomQuery
VSCode TunnelingAppleSeedPebbleDashDWAgentKimsuky

Source:Kaspersky

IOCs · 36

Detection / HunterGoogle

What Happened

The cyber espionage group known as Kimsuky is using new, advanced malicious software to target organizations, primarily in South Korea and the global defense sector. They gain initial access by sending deceptive emails with malicious attachments disguised as normal documents. Once inside, they use legitimate remote access tools like Visual Studio Code and DWAgent to secretly control the infected computers and steal sensitive information, including government digital certificates. This matters because the attackers are blending in with normal network traffic, making them harder to detect. Organizations should train employees to spot phishing emails and monitor the use of remote access tools on their networks.

Key Takeaways

  • Kimsuky is actively updating its PebbleDash and AppleSeed malware clusters, introducing new variants like the Rust-based HelloDoor and httpMalice.
  • The threat actor is increasingly abusing legitimate tools for post-exploitation, specifically VSCode Remote Tunnels and DWAgent, to bypass traditional C2 detection.
  • HelloDoor exhibits signs of being developed with the assistance of Large Language Models (LLMs), indicated by specific emoji-based logging comments.
  • The AppleSeed cluster has added capabilities to steal the C:\GPKI directory, targeting South Korean government digital certificates.

Affected Systems

  • Windows operating systems
  • South Korean public and private sector entities
  • Global defense, medical, and energy industries

Attack Chain

Kimsuky initiates attacks via spear-phishing emails containing malicious attachments (JSE, PIF, SCR, EXE) disguised as legitimate documents. Upon execution, these droppers decode and launch malware from the PebbleDash or AppleSeed clusters, such as HelloDoor or httpMalice, establishing persistence via registry run keys or scheduled tasks. For post-exploitation and covert access, the attackers deploy legitimate tools like DWAgent or establish Visual Studio Code Remote Tunnels, authenticating via GitHub to bypass traditional network defenses. Finally, the malware exfiltrates sensitive data, including system profiles, screenshots, and government digital certificates (GPKI), to attacker-controlled infrastructure.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the creation of unusual scheduled tasks (ChromeCheck/EdgeCheck), suspicious child processes of script interpreters (wscript.exe -> powershell.exe -> certutil.exe), and the execution of VSCode CLI or unrar.exe from C:\ProgramData. Network Visibility: Medium — While traditional C2 domains can be blocked, the use of Cloudflare Quick Tunnels, Dropbox API, and VSCode Remote Tunnels encrypts and blends malicious traffic with legitimate services, making network-based detection challenging. Detection Difficulty: Moderate — The heavy reliance on legitimate tools (VSCode, DWAgent, Cloudflare) and living-off-the-land binaries (certutil, regsvr32) requires behavioral detection logic rather than simple IOC matching.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation (Event ID 11)
  • Registry Event (Event ID 12/13/14)
  • Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for code.exe executing with the tunnel argument, especially if initiated from unusual directories like C:\ProgramData or C:\Users\Public, to identify unauthorized VSCode Remote Tunnels.Process CreationCommand and ControlMedium
Look for certutil.exe being used with the -decode flag by powershell.exe, which may indicate the decoding of malicious payloads dropped by initial access scripts.Process CreationExecutionLow
Investigate the creation of scheduled tasks named ChromeCheck or EdgeCheck that execute regsvr32.exe, as this is a known persistence mechanism for MemLoad.Scheduled Task CreationPersistenceLow
Monitor for unrar.exe extracting archives (e.g., 1.zip) within C:\ProgramData, followed by the installation of the dwagsvc.exe service, indicating potential unauthorized DWAgent deployment.Process CreationExecutionLow
Hunt for processes executing cmd.exe /c chcp 949 followed by command output redirection to temporary files, a pattern used by httpMalice for host profiling.Process CreationDiscoveryLow

Control Gaps

  • Network filtering of legitimate services (VSCode, Cloudflare, Dropbox)
  • Application control policies allowing execution from C:\ProgramData

Key Behavioral Indicators

  • certutil.exe decoding files in hidden windows
  • regsvr32.exe executing payloads from C:\ProgramData
  • code.exe tunnel creation with specific names like 'bizeugene'
  • Creation of ADS files ending in :HUI

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking the identified C2 domains and IP addresses at the perimeter firewall or web proxy.
  • Search endpoint telemetry for the presence of unauthorized VSCode tunnels or DWAgent installations, particularly in C:\ProgramData.

Infrastructure Hardening

  • Evaluate whether access to VSCode Remote Tunnels (vscode.dev), TryCloudflare, and Dropbox can be restricted or monitored at the network level if not required for business operations.
  • Consider implementing Application Control (e.g., AppLocker or WDAC) to prevent the execution of unapproved binaries and scripts from user-writable directories like C:\ProgramData.

User Protection

  • If supported by your email security gateway, consider blocking or quarantining attachments with .jse, .pif, and .scr extensions.
  • Ensure EDR solutions are configured to monitor and alert on suspicious use of living-off-the-land binaries like certutil.exe and regsvr32.exe.

Security Awareness

  • Consider updating security awareness training to highlight the risks of spear-phishing emails containing unusual attachment types disguised as documents.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1543.003 - Create or Modify System Process: Windows Service
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • T1090.001 - Proxy: Internal Proxy
  • T1219 - Remote Access Software
  • T1005 - Data from Local System

Additional IOCs

  • Domains:
    • morames[.]r-e[.]kr - C2 server domain for the AppleSeed malware.
    • load[.]yju[.]o-r[.]kr - C2 server domain for the MemLoad downloader.
    • attach[.]docucloud[.]o-r[.]kr - C2 server domain for the MemLoad downloader.
    • load[.]supershop[.]o-r[.]kr - C2 server domain for the MemLoad downloader.
    • load[.]erasecloud[.]n-e[.]kr - C2 server domain for the MemLoad downloader.
    • erp[.]spaceme[.]p-e[.]kr - C2 server domain for the HappyDoor backdoor.
    • load[.]auraria[.]org - C2 server domain for the httpTroy backdoor.
  • Urls:
    • hxxps://www[.]pyrotech[.]co[.]kr/common/include/tech/default.php - C2 URL for the httpMalice backdoor.
    • hxxp://newjo-imd[.]com/common/include/library/default.php - C2 URL for the httpMalice backdoor.
    • hxxps://vscode[.]download[.]prss[.]microsoft[.]com/dbazure/download/stable/bf9252a2fb45be6893dd8870c0bf37e2e1766d61/vscode_cli_win32_x64_cli.zip - Specific URL used by the JScript installer to download the VSCode CLI.
    • hxxps://vscode[.]download[.]prss[.]microsoft[.]com/dbazure/download/stable/1e3c50d64110be466c0b4a45222e81d2c9352888/vscode_cli_win32_x64_cli.zip - Specific URL used by the Go-based installer to download the VSCode CLI.
  • File Hashes:
    • 995a0a49ae4b244928b3f67e2bfd7a6e (md5) - JSE Dropper delivering HelloDoor.
    • 52f1ff082e981cbdfd1f045c6021c63f (md5) - JSE Dropper delivering httpMalice.
    • 9fe43e08c8f446554340f972dac8a68c (md5) - JSE Dropper variant.
    • 8e15c4d4f71bdd9dbc48cd2cabc87806 (md5) - JSE Dropper delivering AppleSeed chain.
    • 65fc9f06de5603e2c1af9b4f288bb22c (md5) - Reger Dropper (.SCR) delivering MemLoad and httpTroy.
    • c19aeaedbbfc4e029f7e9bdface495b9 (md5) - Reger Dropper variant (.SCR).
    • 8983ffa6da23e0b99ccc58c17b9788c7 (md5) - Pidoc Dropper (.PIF) delivering HappyDoor.
    • a7f0a18ac87e982d6f32f7a715e12532 (md5) - AppleSeed Dropper component.
    • f4465403f9693939fe9c439f0ab33610 (md5) - AppleSeed Dropper component.
    • 5c373c2116ab4a615e622f577e22e9be (md5) - AppleSeed Dropper component.
    • d1ec20144c83bba921243e72c517da5e (md5) - HappyDoor backdoor payload.
    • 58ac2f65e335922be3f60e57099dc8a3 (md5) - MemLoad downloader payload.
    • f73ba062116ea9f37d072aa41c7f5108 (md5) - MemLoad configuration file (jhsakqvv.dat).
    • 7e0825019d0de0c1c4a1673f94043ddb (md5) - httpTroy backdoor payload.
    • 94faed9af49c98a89c8acc55e97276c9 (md5) - httpMalice backdoor payload variant.
  • Registry Keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Registry run key used for persistence by HelloDoor (value: tdll) and httpMalice (values: Everything 1.9a-[filesize] or Everything 1.8a-[filesize]).
  • File Paths:
    • C:\ProgramData\1.zip - Encrypted archive containing DWAgent dropped by the custom installer.
    • C:\programdata\dwagent\native\dwagsvc.exe - DWAgent service executable installed for post-exploitation access.
    • C:\programdata\config.db - Configuration file associated with the httpTroy backdoor.
  • Command Lines:
    • Purpose: Decodes Base64 payloads dropped by initial access scripts. | Tools: powershell.exe, certutil.exe | Stage: Execution | powershell.exe -windowstyle hidden certutil -decode
    • Purpose: Executes DLL-based backdoor payloads. | Tools: regsvr32.exe | Stage: Execution | regsvr32.exe /s
    • Purpose: Establishes persistence for MemLoad via a scheduled task. | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn ChromeCheck /tr
    • Purpose: Executes commands with EUC-KR encoding for host profiling by httpMalice. | Tools: cmd.exe, chcp.com | Stage: Discovery | cmd.exe /c chcp 949
    • Purpose: Establishes a VSCode Remote Tunnel for covert access. | Tools: code.exe | Stage: Command and Control | code tunnel --name bizeugene
    • Purpose: Extracts the DWAgent archive during post-exploitation setup. | Tools: unrar.exe | Stage: Execution | unrar.exe x

Related