{"id":3112,"date":"2026-05-14T12:04:39","date_gmt":"2026-05-14T12:04:39","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/"},"modified":"2026-05-14T12:04:39","modified_gmt":"2026-05-14T12:04:39","slug":"kimsuky-targets-organizations-with-pebbledash-based-tools","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/","title":{"rendered":"Kimsuky targets organizations with PebbleDash-based tools"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns.<\/p>\n<p>Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the <a href=\"https:\/\/www.cisa.gov\/news-events\/analysis-reports\/ar20-133c\" target=\"_blank\" rel=\"noopener\">Lazarus Group<\/a> but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group\u2019s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group\u2019s ongoing adaptation and evolution.<\/p>\n<p>Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities. These activities affected various sectors in South Korea, impacting both public and private entities.<\/p>\n<p>This article covers both previously undocumented attacks and a deeper technical analysis of incidents within this campaign that have been reported before \u2014 offering new insight beyond what has already been published.<\/p>\n<h2 id=\"executive-summary\">Executive summary<\/h2>\n<ul>\n<li>Kimsuky obtains initial access to target systems by delivering spear-phishing emails containing malicious attachments disguised as documents. They also contact targets via messengers in some cases.<\/li>\n<li>Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.<\/li>\n<li>The droppers deliver malware mainly belonging to two big clusters: PebbleDash and AppleSeed. These clusters are considered the most technically advanced in the group\u2019s toolset. The report covers the following PebbleDash malware: HelloDoor, httpMalice, MemLoad, httpTroy. It also covers AppleSeed and HappyDoor from AppleSeed cluster.<\/li>\n<li>For post-exploitation activities Kimsuky uses legitimate tools Visual Studio Code (VSCode) and DWAgent. For VSCode, the attacker uses GitHub authentication method.<\/li>\n<li>For hosting C2 infrastructure the group mainly uses domains registered at a free South Korean hosting provider. It also occasionally relies on hacked South Korean websites and tunneling tools, such as Ngrok or VSCode.<\/li>\n<li>Kimsuky mainly targets South Korean entities. However, PebbleDash attacks were also seen in Brazil and Germany. This malware cluster focuses on defense sector, while AppleSeed most often targets government organizations.<\/li>\n<\/ul>\n<h2 id=\"background\">Background<\/h2>\n<p>First identified by Kaspersky in <a href=\"https:\/\/securelist.com\/the-kimsuky-operation-a-north-korean-apt\/57915\/\" target=\"_blank\" rel=\"noopener\">2013<\/a>, Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups. The group has targeted a wide range of entities and demonstrated capability in creating tailored spear-phishing emails. The group\u2019s arsenal includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT. This blog post examines the evolving PebbleDash-based malware (referred to as the PebbleDash cluster) and its connections to the AppleSeed-based malware (referred to as the AppleSeed cluster).<\/p>\n<p>The PebbleDash and AppleSeed clusters are considered the most technically advanced in Kimsuky\u2019s toolset. Since at least 2019, these clusters have masqueraded as legitimate documents and application installers, manifesting as JSE droppers or executables with .EXE, .SCR and .PIF extensions. Both are particularly adept at establishing backdoors and stealing information, and ongoing development of their variants has been observed. They even occasionally utilize stolen legitimate certificates from South Korean organizations to avoid detection.<\/p>\n<div id=\"attachment_119786\" style=\"width: 1952px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-119786\" class=\"size-full wp-image-119786\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1.png\" alt=\"Timeline of the AppleSeed and PebbleDash malware families\" width=\"1942\" height=\"674\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1.png 1942w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-300x104.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-1024x355.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-768x267.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-1536x533.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-1008x350.png 1008w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-740x257.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-807x280.png 807w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10163532\/pebbledash1-800x278.png 800w\" sizes=\"(max-width: 1942px) 100vw, 1942px\"><\/a><\/p>\n<p id=\"caption-attachment-119786\" class=\"wp-caption-text\">Timeline of the AppleSeed and PebbleDash malware families<\/p>\n<\/div>\n<p>AppleSeed and PebbleDash have primarily targeted the public and private sectors in South Korea. The PebbleDash cluster has shown a particular interest in the medical, military and defense industries worldwide. The PebbleDash cluster compromised Brazilian and South Korean defense organizations throughout the past several years, as well as a German defense firm. In 2024, the South Korean government released a <a href=\"https:\/\/www.ncsc.go.kr:4018\/main\/cop\/bbs\/selectBoardArticle.do?bbsId=SecurityAdvice_main&amp;nttId=146934&amp;pageIndex=1&amp;searchCnd2=\" target=\"_blank\" rel=\"noopener\">security advisory<\/a> regarding the AppleSeed cluster, detailing how the malware was distributed by replacing a security software installer required to access a construction entity\u2019s website.<\/p>\n<h2 id=\"initial-access\">Initial access<\/h2>\n<p>Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments. According to <a href=\"https:\/\/www.genians.co.kr\/en\/blog\/threat_intelligence\/triple-combo\" target=\"_blank\" rel=\"noopener\">recent research<\/a>, the group also occasionally approaches targets by contacting them via messengers. In all cases, the initial contact leads to the delivery of a malicious attachment disguised as a document. These attachments often consist of compressed files containing droppers in formats such as .JSE, .EXE, .PIF, or .SCR. The filenames are consistent with the message content and are meant to convince the recipient to open the attachment. The malicious files are often disguised as product quotations, job offers, information guides, surveys, government documents, and personal photos.<\/p>\n<p>Here are some recently discovered examples:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Number<\/strong><\/td>\n<td><strong>Filename<\/strong><\/td>\n<td><strong>Filename (translated to English)<\/strong><\/td>\n<td><strong>Detection date<\/strong><\/td>\n<td><strong>MD5<\/strong><\/td>\n<td><strong>Malware deployed<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>[\ubcc4\uc9c0 \uc81c8\ud638\uc11c\uc2dd] \uac1c\uc778\uc815\ubcf4(\uc5f4\ub78c \uc815\uc815\uc0ad\uc81c \ucc98\ub9ac\uc815\uc9c0) \uc694\uad6c\uc11c(\uac1c\uc778\uc815\ubcf4 \ubcf4\ud638\ubc95 \uc2dc\ud589\uaddc\uce59).hwp.jse<\/td>\n<td>Appendix Form No. 8 \u2013 Request for Access, Correction, Deletion, and Suspension of Processing of Personal Information (PIPA Enforcement Rules).hwp.jse<\/td>\n<td>August 28, 2025<\/td>\n<td>995a0a49ae4b244928b3f67e2bfd7a6e<\/td>\n<td>HelloDoor<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>2026\ub144 \uc0c1\ubc18\uae30 \uad6d\ub0b4\ub300\ud559\uc6d0 \uc11d\uc0ac\uc57c\uac04\uacfc\uc815 \uc704\ud0c1\uad50\uc721\uc0dd \uc120\ubc1c\uad00\ub828 \uc11c\ub958.hwpx.jse<\/td>\n<td>Documents for the Selection of Commissioned Students for Domestic Graduate School Master\u2019s Evening Programs (H1 2026).hwpx.jse<\/td>\n<td>December 14, 2025<\/td>\n<td>52f1ff082e981cbdfd1f045c6021c63f<\/td>\n<td>httpMalice<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>security_20260126.scr<\/td>\n<td>\u2013<\/td>\n<td>January 26, 2026<\/td>\n<td>65fc9f06de5603e2c1af9b4f288bb22c<\/td>\n<td>Reger Dropper, MemLoad, httpTroy<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>\ub178\ud604\uc815\ub2d8.pdf.jse<\/td>\n<td>Ms. Noh Hyun-jung.pdf.jse<\/td>\n<td>January 28, 2026<\/td>\n<td>8e15c4d4f71bdd9dbc48cd2cabc87806<\/td>\n<td>AppleSeed chain<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>\ub300\uad6d\ubbfc\uc11c\ube44\uc2a4\uad00\ub9ac\uc6b4\uc601\uccb4\uacc4\ud604\uc7a5\uc810\uac80\uc99d\uc801(\ucd08\uc548).pif<\/td>\n<td>On-site Inspection Evidence for the Public Service Management System (Draft).pif<\/td>\n<td>February 5, 2026<\/td>\n<td>8983ffa6da23e0b99ccc58c17b9788c7<\/td>\n<td>Pidoc Dropper, HappyDoor<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>JSE droppers contain a minimum of two Base64-encoded blobs: one serving as a benign lure file and one or more containing malicious code. Additional blobs may exist within the dropper, but they are unused. The two blobs are decoded using JScript and stored in an arbitrary location on disk, such as <strong>C:ProgramData<\/strong>, with the malicious filenames randomly generated according to the scheme <strong>[random]{7}.[random]{4}<\/strong>. The lure file is opened immediately. The malicious payload leverages <strong>powershell.exe -windowstyle hidden certutil -decode [src path] [dst path]<\/strong> for the second Base64 decoding before execution. Ultimately, the malicious payload is executed via command-line instructions such as <strong>regsvr32.exe \/s [file path]<\/strong> or <strong>rundll32.exe [file path] [export function]<\/strong>.<\/p>\n<p>Reger Dropper (.SCR) and Pidoc Dropper (.PIF) also contain benign lure files and malicious payloads that, in both cases, are encrypted using XOR operations. Specifically, Reger Dropper employs a hard-coded key <strong>#RsfsetraW#@EsfesgsgAJOPj4eml;<\/strong>, while Pidoc Dropper utilizes single-byte XOR with <strong>0xFF<\/strong> to decrypt the internal data for execution. Pidoc Dropper is fully obfuscated using dummy data and encrypted strings. Both droppers deploy files in specific directories such as <strong>%temp%<\/strong> or <strong>C:ProgramData<\/strong> before executing the malware using <strong>regsvr32.exe<\/strong>.<\/p>\n<p>In addition to these droppers, Kimsuky employed a variety of executable droppers, including those crafted in Go or packaged with Inno Setup.<\/p>\n<h2 id=\"deployed-malware\">Deployed malware<\/h2>\n<p>In this section, we describe several malware families recently dropped by the droppers discussed above.<\/p>\n<h3 id=\"hellodoor-first-rust-based-pebbledash-variant\">HelloDoor: first Rust-based PebbleDash variant<\/h3>\n<p>Written in Rust, a programming language rarely used by Kimsuky, HelloDoor is a DLL-based backdoor first identified in August 2025. It is deployed via a malicious JSE dropper. Since it has limited capabilities and a simplistic communication mechanism, the backdoor is most probably in the early stages of development. Nevertheless, it is noteworthy that HelloDoor employs a C2 server hosted through TryCloudflare, a temporary tunneling service provided by Cloudflare. This service allows users to expose a local web service to the internet with no setup or account, making the infrastructure behind it difficult to trace.<\/p>\n<p>HelloDoor establishes persistence upon execution by registering itself to the <strong>HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/strong> key with the value name <strong>tdll<\/strong> and the command <strong>regsvr32.exe \/s [current file path]<\/strong>.<\/p>\n<p>The implant communicates with the C2 server (<strong>hxxp:\/\/female-disorder-beta-metropolitan.trycloudflare[.]com\/index.php<\/strong>) over the <strong>HTTP<\/strong> protocol. Depending on whether the process is executing with an elevated token, it binds to a specific local port: <strong>5555<\/strong> if the token is elevated, or <strong>5554<\/strong> if not. Before initiating communication, it generates a unique identifier by collecting device information, such as the MAC address, computer name, and the string \u201cwindows\u201d, then computes a hash value from this information.<\/p>\n<p>The malware then constructs a query string in the format <strong>aaaaaaaaaa=2&amp;bbbbbbbbbb=[the unique identifier]&amp;cccccccccc=1<\/strong>, which is a traditional format used across the PebbleDash cluster. Subsequent server responses are Base64-decoded and then decrypted using RC4 with the key <strong>fwr3errsettwererfs<\/strong>. The decrypted content contains command strings. Possible commands are:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\u201cmcd\u201d<\/td>\n<td>Set the current directory<\/td>\n<\/tr>\n<tr>\n<td>\u201cmsleep\u201d<\/td>\n<td>Sleep for the provided time<\/td>\n<\/tr>\n<tr>\n<td>\u201cinstall\u201d<\/td>\n<td>Register the <strong>regsvr32.exe \/s [the provided file path] <\/strong>command to the <strong>HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/strong> autorun registry using the <strong>install<\/strong> value name<\/td>\n<\/tr>\n<tr>\n<td>[command]<\/td>\n<td>Execute the provided command using <strong>chcp 65001 &gt; nul &amp; cmd \/U \/C [command]<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Though interesting, it is no longer surprising that we found comments in the code that appear to have been generated by an LLM service rather than a human developer. This is based on traces that include emojis used for logging debugging messages.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">\u2705 Port is now listening (no accepting)\r\n \u274c Port is already in use\r\n \ud83d\udd0d regsvr32.exe detected as parent. Attempting to terminate...<\/pre>\n<p>This is a common trait of LLM services that provides users with better visibility. We previously observed similar comments in the PowerShell-based stealer suite used by <a href=\"http:\/\/securelist.com\/bluenoroff-apt-campaigns-ghostcall-and-ghosthire\/117842\/\" target=\"_blank\" rel=\"noopener\">BlueNoroff<\/a>. HelloDoor\u2019s simple structure and the fact that no other Rust-based malware from the group has been discovered yet support our claim.<\/p>\n<p>Even though the code is believed to have been developed using an LLM service, we still found some typos and grammatical errors, such as:<\/p>\n<ul>\n<li>result send fail (grammatically incorrect text)<\/li>\n<li>server request fail (grammatically incorrect text)<\/li>\n<li>command execute failed (grammatically incorrect text)<\/li>\n<li>decrytion failed (typos)<\/li>\n<li>autorum failed (typos)<\/li>\n<\/ul>\n<p>It is likely that the flawed comments were added manually before or after AI was used.<\/p>\n<h3 id=\"httpmalice-latest-backdoor-variant-of-pebbledash\">httpMalice: latest backdoor variant of PebbleDash<\/h3>\n<p>The latest PebbleDash-based backdoor, httpMalice, emerged no later than December 2025 and is deployed by the JSE Dropper. Although we found limited direct connections to both the AppleSeed and PebbleDash clusters, the malware is closer to PebbleDash. The following shared characteristics have been identified:<\/p>\n<ul>\n<li>(PebbleDash cluster) Ability to run commands received from the C2 server with the <code>S-1-12-12288<\/code> SID, indicating a high integrity level \u2013 a feature also observed in PebbleDash and httpTroy.<\/li>\n<li>(PebbleDash cluster) Unique identifier generated by combining the volume serial number of the root directory with the elevation status of the current token, mirroring a technique used since the appearance of NikiDoor.<\/li>\n<li>(PebbleDash cluster) Communication with its C2 server utilizing three HTTP parameters, consistent with other PebbleDash-based families.<\/li>\n<li>(PebbleDash cluster) Core command set more closely aligned with PebbleDash than with AppleSeed-based malware.<\/li>\n<li>(AppleSeed cluster) Use of the <code>m=<\/code> parameter in C2 communication.<\/li>\n<li>(AppleSeed cluster) Gathering system details using PowerShell and Windows commands similar to those found in AppleSeed and Troll Stealer.<\/li>\n<\/ul>\n<p>Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox. The latter, the older variant, leverages the Dropbox API by utilizing pre-defined application credentials. Unlike its predecessor, the HTTP variant employs HTTP\/HTTPS protocols to interact with its C2 server and maintains persistent access to the victim device through a Windows service named <strong>CacheDB<\/strong>. This mirrors tactics observed in similar threats, such as httpSpy.<\/p>\n<p>The more recent variant gathers critical information from the compromised system, such as the current directory path, volume serial numbers, user privileges, username, local IP address, and the name and size of the currently executed httpMalice DLL file. It then combines the root drive\u2019s volume serial number with the user\u2019s access token privilege level to create a unique identifier for each infected system, formatted as <strong>[volume serial]{8}_[elevation status]<\/strong>.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Value of elevation status<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>Running under the <strong>SYSTEM<\/strong> account with an elevated token<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Running under an elevated administrator account<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Running without elevation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Depending on the token privilege, the backdoor then establishes persistence by either creating a service or registering itself to autostart at user logon. If the token is elevated, a service named <strong>CacheDB<\/strong> is created that executes the command <strong>cmd.exe \/c \u201crundll32.exe [current DLL path], load\u201d<\/strong>. The service\u2019s display name is set to <strong>Administrator<\/strong>, and its description is defined as <strong>CacheDB Service<\/strong>. If the token is not elevated, the backdoor registers the same command under the registry key <strong>HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/strong> with the value name <strong>Everything 1.9a-[filesize]<\/strong>. The older version used <strong>Everything 1.8a-[filesize]<\/strong> as a value name.<\/p>\n<p>The latest version can execute a combination of Windows commands by default to perform host profiling, while the older version fetches the command set from Dropbox. In httpMalice, commands are mostly executed using the format <strong>cmd.exe \/c chcp 949 [command] &gt; [temporary filename], <\/strong>which redirects the output to separate files, with the consistent prefix <strong>2Ato6478s<\/strong> added to their names. The <strong>chcp 949<\/strong> command changes the code page to <strong>949<\/strong>, indicating that the malware targets users of the Korean language (EUC-KR charset).<\/p>\n<div id=\"attachment_119787\" style=\"width: 1584px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119787\" class=\"size-full wp-image-119787\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2.png\" alt=\"Windows commands used to gather system details\" width=\"1574\" height=\"618\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2.png 1574w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-300x118.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-1024x402.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-768x302.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-1536x603.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-891x350.png 891w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-740x291.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-713x280.png 713w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164404\/pebbledash2-800x314.png 800w\" sizes=\"auto, (max-width: 1574px) 100vw, 1574px\"><\/a><\/p>\n<p id=\"caption-attachment-119787\" class=\"wp-caption-text\">Windows commands used to gather system details<\/p>\n<\/div>\n<p>httpMalice transmits the result of host profiling to its C2 server as a URL parameter, using the <strong>POST<\/strong> method over the <strong>HTTP\/HTTPS<\/strong> protocol, with the header <strong>x-www-form-urlencoded<\/strong>. The URL includes two or three parameters: operation mode, unique identifier (referred to as UID), and data. The operation mode, or parameter <strong>m<\/strong>, supports the following values:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Value<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Send the session identifier (parameter <strong>s<\/strong>) along with the current state (parameter <strong>a<\/strong>)<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Request command<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Send result after executing the command (parameter <strong>d<\/strong>)<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Request directory to be archived and sent<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Send the archived directory<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Send a message like \u201c.cmd\u201d or \u201c.tmp\u201d (parameter <strong>d<\/strong>)<\/td>\n<\/tr>\n<tr>\n<td>11<\/td>\n<td>Send ping<\/td>\n<\/tr>\n<tr>\n<td>12<\/td>\n<td>Send the captured screenshot (parameter <strong>d<\/strong>)<\/td>\n<\/tr>\n<tr>\n<td>13<\/td>\n<td>Send the infected device information (parameter <strong>d<\/strong>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>As shown in the table above, the mode is set to 13 at the host profiling stage. The UID is formatted as <strong>[volume serial]{8}_[elevation status]<\/strong>, and the data contains the ChaCha20-encrypted and Base64-encoded output of the command set stored in the temporary file. The resulting URL format is: <strong>m=13&amp;u=[volume serial]{8}_[elevation status]&amp;d=[Chacha20 encrypted + Base64-encoded data to be sent]<\/strong>.<\/p>\n<p>The key and nonce used for ChaCha20 encryption are derived from the pointer address of the buffer, resulting in nearly randomized keys. To ensure proper decryption on the attacker side, the nonce and key values are appended after the encrypted data, and the combined blob is then Base64-encoded. The counter is initialized to 0. The following figure illustrates how the encrypted data is structured after performing Base64 decoding.<\/p>\n<div id=\"attachment_119788\" style=\"width: 1348px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119788\" class=\"size-full wp-image-119788\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3.png\" alt=\"Structure of the ChaCha20-encrypted data blob\" width=\"1338\" height=\"368\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3.png 1338w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-300x83.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-1024x282.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-768x211.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-1273x350.png 1273w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-740x204.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-1018x280.png 1018w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164525\/pebbledash3-800x220.png 800w\" sizes=\"auto, (max-width: 1338px) 100vw, 1338px\"><\/a><\/p>\n<p id=\"caption-attachment-119788\" class=\"wp-caption-text\">Structure of the ChaCha20-encrypted data blob<\/p>\n<\/div>\n<p>After sending the host profiling data, the backdoor continuously transmits a screen capture with mode <strong>12<\/strong> and a ping message with mode <strong>11<\/strong>. Finally, it sends a session identifier, which is a combination of the current username and local IP address separated by an \u2018@\u2019 symbol. In this case, the mode is set to <strong>1<\/strong> and the <strong>a<\/strong> parameter (current state) is set to 0, indicating that the C2 operation has been activated. The following table provides other possible values of the <strong>a<\/strong> parameter:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Value<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>httpMalice has been activated<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>httpMalice has been inactivated (upon command 9)<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>httpMalice has been removed (upon command 8)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The whole process from sending the host profile to the backdoor activation repeats every two minutes until the C2 server returns a \u201csuccess!\u201d message.<\/p>\n<div id=\"attachment_119789\" style=\"width: 1441px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119789\" class=\"size-full wp-image-119789\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4.png\" alt=\"C2 communication sequence of httpMalice\" width=\"1431\" height=\"803\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4.png 1431w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-300x168.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-1024x575.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-768x431.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-800x449.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-624x350.png 624w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-740x415.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10164643\/pebbledash4-499x280.png 499w\" sizes=\"auto, (max-width: 1431px) 100vw, 1431px\"><\/a><\/p>\n<p id=\"caption-attachment-119789\" class=\"wp-caption-text\">C2 communication sequence of httpMalice<\/p>\n<\/div>\n<p>When the backdoor receives the message from the C2 server, it creates two threads dedicated to processing commands and sending the current state, including the session identifier. The first thread receives a command from the C2 server. It requests a command by sending mode <code>2<\/code> and, if successful, immediately sends mode <code>10<\/code> along with the string \u201c.cmd\u201d in the <code>d<\/code> parameter.<\/p>\n<p>The commands supported by httpMalice are as follows:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>Do nothing<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Execute the command with EUC-KR encoding<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Download and extract the file to the infected device<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Upload a directory to the C2 server after it has been archived<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Get the current directory<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Set the current directory<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Execute the command without setting a EUC-KR character set<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Remove its persistence traces and exit the process<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Hibernate<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Execute the command using the provided session ID<\/td>\n<\/tr>\n<tr>\n<td>12<\/td>\n<td>Capture the screen<\/td>\n<\/tr>\n<tr>\n<td>13<\/td>\n<td>Load the downloaded payload into memory<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"memload-downloads-httptroy\">MemLoad downloads httpTroy<\/h3>\n<p>Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September. The payload that began being deployed through the Reger Dropper this year has been identified as an updated variant of MemLoad, slightly modified from the V3 version (referred to internally as MemLoader.dll).<\/p>\n<p>Kimsuky leverages MemLoad to evade detection of its final backdoor and to carefully assess the value of targeted systems through anti-VM checks and reconnaissance. Upon installation, it requests an additional payload from the C2 server, executing it reflectively in memory if deemed suitable. Notably, all versions of MemLoad V2 and later use the same RC4 key.<\/p>\n<p>Below are the key operations of MemLoad:<\/p>\n<ol>\n<li><strong>Creates a flag file.<\/strong> Creates a file containing a random eight-character string from the set 0123456789abcdefABCDEF with another random eight-character string as the name and \u201c.dat.cfg\u201d extension at the current file path.<\/li>\n<li><strong>Generates an ID.<\/strong> Generates an ID value by adding either \u2018A-\u2018 or \u2018U-\u2018 to the beginning of the random bytes. The choice of symbol is determined by attempting to create a random file in the <code>C:Windowssystem32<\/code> directory. If successful, the ID starts with \u2018A-\u2018 (indicating administrative privileges); otherwise, it starts with \u2018U-\u2018.<\/li>\n<li><strong>Persistence via a scheduled task.<\/strong> Checks for the existence of the .dat.cfg file, and if confirmed, a scheduled task is set up for persistence. The task name is determined by whether the process is running with elevated privileges. If elevated, the task is named <code>ChromeCheck<\/code>, and the command<br \/>\n\t\t\t<span id=\"urvanov-syntax-highlighter-6a05acac05378608324119\" class=\"urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline  crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco\" style=\"font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;\"><span class=\"crayon-pre urvanov-syntax-highlighter-code\" style=\"font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\"><span class=\"crayon-v\">schtasks<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">create<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">task <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">tr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;regsvr32 \/s &lt;current file path&gt;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">sc <\/span><span class=\"crayon-v\">minute<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">mo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">rl <\/span><span class=\"crayon-v\">highest<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">f<\/span><\/span><\/span> is executed. Otherwise, the task is named <code>EdgeCheck<\/code>, and the command<br \/>\n\t\t\t<span id=\"urvanov-syntax-highlighter-6a05acac0537c564218390\" class=\"urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline  crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco\" style=\"font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;\"><span class=\"crayon-pre urvanov-syntax-highlighter-code\" style=\"font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\"><span class=\"crayon-v\">schtasks<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">create<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">task <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">tr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;regsvr32 \/s &lt;current file path&gt;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">sc <\/span><span class=\"crayon-v\">minute<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">mo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">f<\/span><\/span><\/span> is executed.<\/li>\n<li><strong>C2 communication and payload download.<\/strong> Requests an additional payload from its C2 server, with the header <code>Authorization: Bearer {ID}<\/code> or <code>X-Browser-Validation: {ID}<\/code> for authentication. The ID is set to the previously generated ID value.<\/li>\n<li><strong>Payload decryption and execution.<\/strong> Once the download is successful, the payload is decrypted using the RC4 algorithm with the key <code>#RsfsetraW#@EsfesgsgAJOPj4eml;<\/code>. The decrypted payload is then reflectively loaded into memory, and its <code>hello<\/code> export function is invoked.<\/li>\n<\/ol>\n<p>The payload downloaded and executed by MemLoad is identified as the httpTroy backdoor. This backdoor serves as the primary role for long-term access and data exfiltration. Similar to MemLoad, it employs stealth techniques by creating a flag file and writing eight random bytes to it. However, in this case the file is created at <strong>[current file path]:HUI<\/strong> in the ADS (Alternative Data Stream) area. The backdoor then checks its privileges to determine if it is elevated and assigns an ID value in the format <strong>A-[random-8-chars] or U-[random-8-chars]<\/strong>.<\/p>\n<p>Since <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/dprk-kimsuky-lazarus-analysis\" target=\"_blank\" rel=\"noopener\">Gen Digital<\/a> covers httpTroy\u2019s features and functionality in detail elsewhere, we will not provide a thorough explanation here to avoid redundancy. Instead, we will simply note that it communicates with the C2 server at <strong>hxxps:\/\/file.bigcloud.n-e[.]kr\/index.php<\/strong>.<\/p>\n<h3 id=\"appleseed\">AppleSeed<\/h3>\n<p>AppleSeed first appeared in 2019 and reached version 3.0. However, we now only see version 2.1. It originally consisted of two components: a dropper and the main AppleSeed. Since 2022, the updated AppleSeed chain has involved two droppers, an additional component referred to as the installer, and the main payload. It is mostly delivered through JSE Dropper.<\/p>\n<div id=\"attachment_119790\" style=\"width: 1800px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119790\" class=\"size-full wp-image-119790\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5.png\" alt=\"Updated AppleSeed infection chain\" width=\"1790\" height=\"604\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5.png 1790w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-300x101.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-1024x346.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-768x259.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-1536x518.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-1037x350.png 1037w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-740x250.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-830x280.png 830w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10165854\/pebbledash5-800x270.png 800w\" sizes=\"auto, (max-width: 1790px) 100vw, 1790px\"><\/a><\/p>\n<p id=\"caption-attachment-119790\" class=\"wp-caption-text\">Updated AppleSeed infection chain<\/p>\n<\/div>\n<p>There are two versions of the main AppleSeed: Dropper and Spy. The Dropper variant is responsible for downloading additional malware and executing commands received from its C2 server, while the Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. A notable change in version 2.1 is the inclusion, since 2022, of collecting the <strong>C:GPKI<\/strong> directory \u2013 functionality that is also implemented in Troll Stealer. This directory contains a digital certificate used by the South Korean government to securely authenticate public officials and government systems.<\/p>\n<h3 id=\"happydoor\">HappyDoor<\/h3>\n<p>HappyDoor, an AppleSeed-based backdoor malware disclosed by <a href=\"https:\/\/asec.ahnlab.com\/en\/76800\/\" target=\"_blank\" rel=\"noopener\">AhnLab<\/a> in 2024, is less visible than AppleSeed. HappyDoor shares several features with AppleSeed, including the same string obfuscation algorithm, the data types it collects, and the use of RSA encryption. Given these similarities, we assess with medium confidence that HappyDoor is an advanced variant evolved from AppleSeed.<\/p>\n<h2 id=\"post-exploitation\">Post-exploitation<\/h2>\n<p>We observed interesting post-exploitation activities involving VSCode and DWAgent. All of the observed VSCode droppers used the same lure files as the PebbleDash malware cluster. While we are unsure of the exact reason for this strategy, we suspect that the actor prepared both PebbleDash and VSCode droppers in anticipation of the PebbleDash infection chain being detected by security products because of its backdoor capabilities. In contrast, the use of VSCode is designed to have fewer detection points.<\/p>\n<h3 id=\"vscode-launched-by-the-jse-dropper\">VSCode (launched by the JSE dropper)<\/h3>\n<p>Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim\u2019s device, bypassing detection designed for traditional malware-based C2 channels (first described by <a href=\"https:\/\/www.darktrace.com\/blog\/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access\" target=\"_blank\">Darktrace researchers<\/a>). In these attacks, instead of dropping malware, the JSE dropper downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device. The script establishes persistence by creating a tunnel via the application, with the tunnel name \u201cbizeugene\u201d, using the command below.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119791\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6.png\" alt=\"\" width=\"1431\" height=\"136\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6.png 1431w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6-300x29.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6-1024x97.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6-768x73.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6-740x70.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170017\/pebbledash6-800x76.png 800w\" sizes=\"auto, (max-width: 1431px) 100vw, 1431px\"><\/a><\/p>\n<p>The Remote Tunneling feature in VSCode supports establishing a tunnel using either a Microsoft or GitHub account. When the <code>code tunnel<\/code> command is executed, the CLI initiates an authentication flow and returns a login URL along with a device code. The user must then navigate to the URL, enter the device code, and authenticate with their account. Once authentication is successful, the tunnel is created and the CLI outputs a URL for tunneling that enables browser-based access to the remote host.<\/p>\n<p>The GitHub authentication method is selected in this instance because GitHub is configured as the default provider in non-interactive execution contexts. By using <code>echo |<\/code>, the script injects a <code>rn<\/code> (Carriage Return and Line Feed) into the standard input stream, effectively confirming the default prompt selection without manual interaction. As a result, the CLI automatically initiates the GitHub authentication flow. Next, all CLI output that includes a login URL and a device code is saved to <code>out.txt<\/code>.<\/p>\n<div id=\"attachment_119792\" style=\"width: 1710px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119792\" class=\"size-full wp-image-119792\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7.png\" alt=\"Out.txt content\" width=\"1700\" height=\"488\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7.png 1700w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-300x86.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-1024x294.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-768x220.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-1536x441.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-1219x350.png 1219w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-740x212.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-975x280.png 975w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170054\/pebbledash7-800x230.png 800w\" sizes=\"auto, (max-width: 1700px) 100vw, 1700px\"><\/a><\/p>\n<p id=\"caption-attachment-119792\" class=\"wp-caption-text\">Out.txt content<\/p>\n<\/div>\n<p>The JScript code in the JSE dropper monitors the out.txt file for a URL that begins with <code>hxxps:\/\/vscode[.]dev\/tunnel<\/code>. This URL contains the full address of the established tunnel. Once detected, the file content containing the URL and the device code is sent to a compromised legitimate South Korean website (<code>hxxps:\/\/www.yespp.co[.]kr\/common\/include\/code\/out[.]php<\/code>) using the HTTP <code>POST<\/code> method. The request contains the file contents in the <code>application\/x-www-form-urlencoded<\/code> header data formatted as <code>out=URLencoded{result of the command}&amp;token=URLencoded{\"bizeugene\"}<\/code>. After authentication is complete, the attacker can access the compromised host externally through a web browser by authenticating with their own GitHub account.<\/p>\n<h3 id=\"vscode-launched-by-vscode-installer\">VSCode (launched by VSCode installer)<\/h3>\n<p>While searching our telemetry for artifacts related to a different infection, we identified a new VSCode tunnel installer written in Go. A previous version of this installer was implemented using JScript and was limited to secure channels because of its reliance on a specific tunnel name. The new variant, named <code>vscode_payload<\/code> by the developer based on the embedded Go path, is fully operational and supports every tunnel on each targeted device. It includes features that are nearly identical to those of the previous version, such as downloading, unarchiving, and executing the VSCode CLI.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Number<\/strong><\/td>\n<td><strong>Installer type<\/strong><\/td>\n<td><strong>VSCode version<\/strong><\/td>\n<td><strong>Download source<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Written in JScript<\/td>\n<td>VSCode CLI 1.106.3<\/td>\n<td>hxxps:\/\/vscode.download.prss.microsoft[.]com\/dbazure\/download\/stable\/<strong>bf9252a2fb45be6893dd8870c0bf37e2e1766d61<\/strong>\/vscode_cli_win32_x64_cli[.]zip<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Written in Go<\/td>\n<td>VSCode CLI 1.106.2<\/td>\n<td>hxxps:\/\/vscode.download.prss.microsoft[.]com\/dbazure\/download\/stable\/<strong>1e3c50d64110be466c0b4a45222e81d2c9352888<\/strong>\/vscode_cli_win32_x64_cli[.]zip<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>After the VSCode CLI file has been successfully downloaded, it is unzipped into the <code>C:UsersPublic<\/code> directory, and the extracted <strong>code.exe<\/strong> is executed with the <code>tunnel<\/code> command.<\/p>\n<p>This is how the installer works:<\/p>\n<ol>\n<li>Executes <code>code.exe tunnel<\/code>.<\/li>\n<li>Searches for the \u201cMicrosoft Account\u201d string in the stdout.<\/li>\n<li>Sends the <code>0x1B 0x5B 0x42<\/code> (Down Arrow) and <code>0x0A<\/code> (Enter) escape sequence to the pseudo-terminal, which enables tunnel creation via a GitHub account.<\/li>\n<li>Searches for the \u201cuse code\u201d string in the stdout.<\/li>\n<li>Sends the printed code for authentication, prepended with the \u201chxxps:\/\/github[.]com\/login\/device\u201d =&gt; prefix. The attacker authorizes Visual Studio Code with the logged-in GitHub account using the printed code.<\/li>\n<li>Searches for the \u201cWhat would you like to call this machine?\u201d string in the stdout.<\/li>\n<li>Sends the <code>0x0A<\/code> escape sequence to the pseudo-terminal to use the current machine name as the identifier.<\/li>\n<li>Searches for the \u201chttps:\/\/vscode.dev\/tunnel\/\u201d string in the stdout.<\/li>\n<li>Sends the printed URL for tunneling to the Slack WebHook.<\/li>\n<\/ol>\n<p>The following figure illustrates the sequence for creating a tunnel using the VSCode CLI. Red boxes highlight the strings that the installer searches for. Yellow boxes indicate standard input operations sent from the installer using escape sequences. Sky blue boxes represent the values that are necessary to create the tunnel on the attacker\u2019s side. (The \u201cMicrosoft Account\u201d string in the second step is not shown in this figure because the second \u201cGitHub Account\u201d was already selected during the process.)<\/p>\n<div id=\"attachment_119793\" style=\"width: 1236px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119793\" class=\"size-full wp-image-119793\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8.png\" alt=\"Creating a tunnel using VSCode CLI\" width=\"1226\" height=\"400\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8.png 1226w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-300x98.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-1024x334.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-768x251.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-1073x350.png 1073w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-740x241.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-858x280.png 858w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/10170427\/pebbledash8-800x261.png 800w\" sizes=\"auto, (max-width: 1226px) 100vw, 1226px\"><\/a><\/p>\n<p id=\"caption-attachment-119793\" class=\"wp-caption-text\">Creating a tunnel using VSCode CLI<\/p>\n<\/div>\n<p>Once the process is complete, the attacker can access the targeted host through the tunnel on their remote machine using their GitHub account via a browser or VSCode. The targeted device then begins communicating with <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/developer\/dev-tunnels\/security\" target=\"_blank\" rel=\"noopener\">Microsoft-owned servers<\/a> without the user realizing that the communication is from an attacker.<\/p>\n<p>An interesting feature of this variant is that it sends debugging messages and necessary values to a Slack channel via a WebHook. Upon execution, it sends <code>\"<strong>+++ I am started +++\"<\/strong><\/code>, as well as a heartbeat message <code>\"<strong>~~~ I am alive ~~~\"<\/strong><\/code> approximately every second during tunneling authentication.<\/p>\n<h3 id=\"dwagent\">DWAgent<\/h3>\n<p>DWAgent is a remote administration tool that is frequently exploited by threat actors, including <a href=\"https:\/\/www.bitdefender.com\/en-gb\/blog\/businessinsights\/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> and <a href=\"https:\/\/blog.talosintelligence.com\/uat-8837\/\" target=\"_blank\" rel=\"noopener\">APT<\/a> groups, to easily access compromised endpoints with minimal risk of detection. Kimsuky is one of the threat actors that uses this tool in its operations.<\/p>\n<p>We observed that the group delivered DWAgent in at least two ways. The first involved delivering a compressed file containing DWAgent, along with separate commands, to a host infected with httpMalice for installation. The second method involved creating a separate installer.<\/p>\n<p>This installer is very similar to the Reger Dropper. It uses the same RC4 key and has a similar code structure. It includes an archived binary and a legitimate <code>unrar.exe<\/code> binary, both encrypted with RC4. When executed, the installer decrypts the archived binary and saves it as <code>1.zip<\/code> in the <code>C:ProgramData<\/code> directory. It also creates an <code>unrar.exe<\/code> file in the same location using the decrypted <code>unrar.exe<\/code> binary. The dropper then uses the command <code>C:programdataunrar.exe x C:programdata1.zip C:programdata<\/code> to extract the contents of the ZIP file. Finally, it executes the commands necessary to install <code>DWService<\/code> as a service on the target host:<\/p>\n<ul>\n<li>c:programdatadwagentnativedwagsvc.exe installService<\/li>\n<li>c:programdatadwagentnativedwagsvc.exe startService<\/li>\n<\/ul>\n<p>The compressed file contains a pre-packaged, ready-to-use DWAgent, as well as a predefined config file. The actor deployed the agent with a <code>config.json<\/code> file linked to their own account to covertly control the device. As a result, the remote session is immediately activated by the above command, granting the attacker control.<\/p>\n<p>The predefined config file is as follows. Note that the servers are legitimate DWAgent relay servers.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">{\r\n \"enabled\": true,\r\n \"key\": \"kDRNGmWGTMpjQmREgQzU\",\r\n \"listen_port\": 7950,\r\n \"nodes\": [\r\n  {\r\n   \"id\": \"ND896147\",\r\n   \"port\": \"443\",\r\n   \"server\": \"node896147.dwservice[.]net\"\r\n  },\r\n  {\r\n   \"id\": \"ND828765\",\r\n   \"port\": \"443\",\r\n   \"server\": \"node828765.dwservice[.]net\"\r\n  },\r\n  {\r\n   \"id\": \"ND484265\",\r\n   \"port\": \"443\",\r\n   \"server\": \"node484265.dwservice[.]net\"\r\n  }\r\n ],\r\n \"password\": \"eJwrynEqD0r294twTXLKCHWqDPLPCql0Kg\/JDqpIdk4HAKYMCso=\",\r\n \"url_primary\": \"hxxps:\/\/www.dwservice[.]net\/\"\r\n}<\/pre>\n<\/p>\n<h2 id=\"infrastructure\">Infrastructure<\/h2>\n<p>For years, Kimsuky has relied heavily on the South Korea-based free domain hosting service \ub0b4\ub3c4\uba54\uc778[.]\ud55c\uad6d (pronounced as \u201cnaedomain[.]hankook) to mimic legitimate sites with domains like .p-e.kr, .o-r.kr, .n-e.kr, .r-e.kr, and .kro.kr. This service has been utilized to create C2 servers for PebbleDash and AppleSeed clusters, and the background infrastructures have been mostly resolved to the virtual private servers belonging to InterServer. It has also been noted that many other malicious actors have exploited this free domain hosting service, so it alone cannot be considered proof of a connection to Kimsuky.<\/p>\n<p>The actor also occasionally exploits South Korean websites as C2 servers to evade network-IoC-based detection and increase the success rate of attacks. Furthermore, they actively leverage tunneling services such as Cloudflare Quick Tunnels, VSCode Tunneling, and Ngrok to hide their infrastructure. These traits are mostly observed across the PebbleDash cluster.<\/p>\n<h2 id=\"victims\">Victims<\/h2>\n<p>We identified multiple infection logs uploaded to the Dropbox storage used for httpMalice\u2019s C2 server. They were analyzed as having been stolen from infected systems across various organizations or individuals in South Korea. Notably, each victim\u2019s folder contained a user.txt file with detailed information such as target details, the presence of something named \u201chttp\u201d (possibly a backdoor, such as httpTroy or httpMalice), DWAgent existence, and relationships between infected devices and targets. While we could not verify the exact creation process of these files, they were likely created manually by attackers to manage victims using Korean words.<\/p>\n<p>Below you can see an example of this type of file content. In this context, \u201c\uc7a5\uc545\u201d means \u201ctake over\u201d and \u201c\uc788\uc74c\u201d means \u201cexists\u201d.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">[Target's name] [Description] [Infection date] \uc7a5\uc545, http \uc788\uc74c, DWService \uc788\uc74c.<\/pre>\n<p>While both clusters have mainly focused on targeting the private and public sectors in South Korea, the AppleSeed malware cluster shows more interest in government entities. The PebbleDash cluster has also shown particular interest in the defense sector worldwide.<\/p>\n<h2 id=\"attribution\">Attribution<\/h2>\n<p>Over the past few years, we have observed two clusters using overlapping distribution methods \u2013 JSE, EXE, SCR, and PIF droppers. The targets are also increasingly aligning. Furthermore, we noted that several samples from both malware clusters were signed with the same stolen certificate and used identical mutex patterns. These findings suggest that a single actor is likely controlling both clusters and has the capability to modify code as needed. This concept was also described in another <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2024\/papers\/Go-ing-arsenal-a-closer-look-at-Kimsukys-Go-strategic-advancement.pdf\" target=\"_blank\" rel=\"noopener\">research paper<\/a> at the Virus Bulletin conference.<\/p>\n<p>Since its emergence, <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference_slides\/2019\/VB2019-Kim.pdf\" target=\"_blank\" rel=\"noopener\">AppleSeed<\/a> has been linked to Kimsuky operations, with each <a href=\"https:\/\/medium.com\/s2wblog\/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a\" target=\"_blank\" rel=\"noopener\">variant<\/a> showing ties to the group. Since <a href=\"https:\/\/asec.ahnlab.com\/en\/30532\/\" target=\"_blank\" rel=\"noopener\">2021<\/a>, PebbleDash has been found exclusively in Kimsuky attacks. Based on our analysis of targets, infrastructure, and malware characteristics, we assess with medium-high confidence that attacks associated with these malware families are conducted by Kimsuky-affiliated clusters.<\/p>\n<p>These two clusters share technical links to the threat actor known as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/11\/22\/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon\/\" target=\"_blank\" rel=\"noopener\">Ruby Sleet<\/a>, one of the names Microsoft uses for Kimsuky activity. In previous reports, Mandiant also referred to these clusters as <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/mapping-dprk-groups-to-government\" target=\"_blank\" rel=\"noopener\">Cerium<\/a>, but now they appear to consider them part of the broader <a href=\"https:\/\/services.google.com\/fh\/files\/misc\/apt43-report-en.pdf\" target=\"_blank\" rel=\"noopener\">APT43<\/a> designation \u2013 another name for Kimsuky.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it. Over time, malware undergoes updates and modifications, sometimes being repurposed or reused by other actors. Although analyzing malware may seem repetitive and time-consuming, understanding how these tools evolve helps us grasp the threat actor\u2019s changing tactics.<\/p>\n<p>Two clusters have overlapping target sectors that span the defense, military, government, medical, machinery, and energy industries. The AppleSeed cluster is shifting its focus to data exfiltration, and GPKI certificate extraction has become a signature capability. Meanwhile, the PebbleDash cluster demonstrates advanced remote control capabilities and an expanding set of targets.<\/p>\n<p>Although AI may offer full automation for some attacks, many groups stick with the tools and strategies they have used for years. Structuring a fully automated attack is not trivial. Despite ongoing changes, we will continue to track advanced threat actors by comprehensively considering malware, initial vectors, targets, post-exploitation activities, and ultimate goals.<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<h3 id=\"file-hashes\">File hashes<\/h3>\n<p><strong>JSE Dropper<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/995a0a49ae4b244928b3f67e2bfd7a6e\/?icid=gl_sl_opentip-lnk_sm-team_64fc0859f9e65d32&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">995a0a49ae4b244928b3f67e2bfd7a6e<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\ubcc4\uc9c0 \uc81c8\ud638\uc11c\uc2dd] \uac1c\uc778\uc815\ubcf4(\uc5f4\ub78c \uc815\uc815\uc0ad\uc81c \ucc98\ub9ac\uc815\uc9c0) \uc694\uad6c\uc11c(\uac1c\uc778\uc815\ubcf4 \ubcf4\ud638\ubc95 \uc2dc\ud589\uaddc\uce59).hwp.jse<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/52f1ff082e981cbdfd1f045c6021c63f\/?icid=gl_sl_opentip-lnk_sm-team_e913039058848454&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">52f1ff082e981cbdfd1f045c6021c63f<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2026\ub144 \uc0c1\ubc18\uae30 \uad6d\ub0b4\ub300\ud559\uc6d0 \uc11d\uc0ac\uc57c\uac04\uacfc\uc815 \uc704\ud0c1\uad50\uc721\uc0dd \uc120\ubc1c\uad00\ub828 \uc11c\ub958.hwpx.jse<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9fe43e08c8f446554340f972dac8a68c\/?icid=gl_sl_opentip-lnk_sm-team_c1bb97b8958a8c91&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9fe43e08c8f446554340f972dac8a68c<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2026\ub144 \uc0c1\ubc18\uae30 \uad6d\ub0b4\ub300\ud559\uc6d0 \uc11d\uc0ac\uc57c\uac04\uacfc\uc815 \uc704\ud0c1\uad50\uc721\uc0dd \uc120\ubc1c\uad00\ub828 \uc11c\ub958 (1).hwpx.jse<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8e15c4d4f71bdd9dbc48cd2cabc87806\/?icid=gl_sl_opentip-lnk_sm-team_041aa2ac4178075b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8e15c4d4f71bdd9dbc48cd2cabc87806<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \ub178\ud604\uc815\ub2d8.pdf.jse<\/p>\n<p><strong>Reger Dropper<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/65fc9f06de5603e2c1af9b4f288bb22c\/?icid=gl_sl_opentip-lnk_sm-team_c1ec25053591dbb9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">65fc9f06de5603e2c1af9b4f288bb22c<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 security_20260126.scr<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/c19aeaedbbfc4e029f7e9bdface495b9\/?icid=gl_sl_opentip-lnk_sm-team_f0c4aef7ea21ec61&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">c19aeaedbbfc4e029f7e9bdface495b9<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 secu.scr<\/p>\n<p><strong>Pidoc Dropper<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8983ffa6da23e0b99ccc58c17b9788c7\/?icid=gl_sl_opentip-lnk_sm-team_68114e7417c4e11a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8983ffa6da23e0b99ccc58c17b9788c7<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \ub300\uad6d\ubbfc\uc11c\ube44\uc2a4\uad00\ub9ac\uc6b4\uc601\uccb4\uacc4_\ud604\uc7a5\uc810\uac80_\uc99d\uc801(\ucd08\uc548).pif<\/p>\n<p><strong>AppleSeed (Dropper)<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a7f0a18ac87e982d6f32f7a715e12532\/?icid=gl_sl_opentip-lnk_sm-team_88b096ad2d3f1ff4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">a7f0a18ac87e982d6f32f7a715e12532<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f4465403f9693939fe9c439f0ab33610\/?icid=gl_sl_opentip-lnk_sm-team_22f7ccdce96f30be&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f4465403f9693939fe9c439f0ab33610<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5c373c2116ab4a615e622f577e22e9be\/?icid=gl_sl_opentip-lnk_sm-team_f3e3f8ed59cf3895&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5c373c2116ab4a615e622f577e22e9be<\/a><\/p>\n<p><strong>HappyDoor<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d1ec20144c83bba921243e72c517da5e\/?icid=gl_sl_opentip-lnk_sm-team_f68485d29d2b87f5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d1ec20144c83bba921243e72c517da5e<\/a><\/p>\n<p><strong>MemLoad<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/58ac2f65e335922be3f60e57099dc8a3\/?icid=gl_sl_opentip-lnk_sm-team_0593e2983da9480a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">58ac2f65e335922be3f60e57099dc8a3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f73ba062116ea9f37d072aa41c7f5108\/?icid=gl_sl_opentip-lnk_sm-team_c3cfab27c32c1890&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f73ba062116ea9f37d072aa41c7f5108<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jhsakqvv.dat<\/p>\n<p><strong>httpTroy<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7e0825019d0de0c1c4a1673f94043ddb\/?icid=gl_sl_opentip-lnk_sm-team_0e8360ca0a22a9d2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7e0825019d0de0c1c4a1673f94043ddb<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 c:programdataconfig.db<\/p>\n<p><strong>httpMalice<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/08160acf08fccecde7b34090db18b321\/?icid=gl_sl_opentip-lnk_sm-team_a4b53970cbfd9845&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">08160acf08fccecde7b34090db18b321<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/94faed9af49c98a89c8acc55e97276c9\/?icid=gl_sl_opentip-lnk_sm-team_caffb9ad136c5e82&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">94faed9af49c98a89c8acc55e97276c9<\/a><\/p>\n<p><strong>HelloDoor<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/c42ae004badddd3017adadbdd1421e00\/?icid=gl_sl_opentip-lnk_sm-team_79e77a91448949ca&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">c42ae004badddd3017adadbdd1421e00<\/a><\/p>\n<p><strong>VSCode Tunnel installer<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9ca5f93a732f404bbb2cee848f5bbda0\/?icid=gl_sl_opentip-lnk_sm-team_e9b96336a533ef25&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9ca5f93a732f404bbb2cee848f5bbda0<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xipbkmaw.exe<\/p>\n<p><strong>DWAgent installer<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/678fb1a87af525c33ba2492552d5c0e2\/?icid=gl_sl_opentip-lnk_sm-team_7cb61c96c69761e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">678fb1a87af525c33ba2492552d5c0e2<\/a><\/p>\n<h3 id=\"domains-and-ips\">Domains and IPs<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/opedromos1.r-e.kr\/?icid=gl_sl_opentip-lnk_sm-team_ff25e222551bf257&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">opedromos1.r-e[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of AppleSeed<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/morames.r-e.kr\/?icid=gl_sl_opentip-lnk_sm-team_1dc43549501f6736&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">morames.r-e[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of AppleSeed<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/load.ssangyongcne.o-r.kr\/?icid=gl_sl_opentip-lnk_sm-team_f13d32efc11c42f9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">load.ssangyongcne.o-r[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of MemLoad<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/load.yju.o-r.kr\/?icid=gl_sl_opentip-lnk_sm-team_908ff236ea219886&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">load.yju.o-r[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of MemLoad<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/attach.docucloud.o-r.kr\/?icid=gl_sl_opentip-lnk_sm-team_89a1bc9dede2a451&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">attach.docucloud.o-r[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of MemLoad<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/load.supershop.o-r.kr\/?icid=gl_sl_opentip-lnk_sm-team_fddbe0f548898e25&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">load.supershop.o-r[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of MemLoad<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/load.erasecloud.n-e.kr\/?icid=gl_sl_opentip-lnk_sm-team_59b15d9bd6c22142&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">load.erasecloud.n-e[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of MemLoad<\/p>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/cms.spaceyou.o-r.kr\/?icid=gl_sl_opentip-lnk_sm-team_1ca928504d61d0c1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cms.spaceyou.o-r[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of HappyDoor<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/erp.spaceme.p-e.kr\/?icid=gl_sl_opentip-lnk_sm-team_29271e6651278652&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">erp.spaceme.p-e[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of HappyDoor<\/p>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/file.bigcloud.n-e.kr\/?icid=gl_sl_opentip-lnk_sm-team_2e59b76016afe000&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">file.bigcloud.n-e[.]kr<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of httpTroy<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/load.auraria.org\/?icid=gl_sl_opentip-lnk_sm-team_fe3e629d9c52cd16&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">load.auraria[.]org<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of httpTroy<\/p>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/female-disorder-beta-metropolitan.trycloudflare.com\/?icid=gl_sl_opentip-lnk_sm-team_64e237ba34b618b4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">female-disorder-beta-metropolitan.trycloudflare[.]com<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of HelloDoor<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/https%3A%2F%2Fwww.pyrotech.co.kr%2Fcommon%2Finclude%2Ftech%2Fdefault.php\/?icid=gl_sl_opentip-lnk_sm-team_9561c3b17b473059&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/www.pyrotech.co[.]kr\/common\/include\/tech\/default.php<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of httpMalice<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/http%3A%2F%2Fnewjo-imd.com%2Fcommon%2Finclude%2Flibrary%2Fdefault.php\/?icid=gl_sl_opentip-lnk_sm-team_1667e888ceffba45&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxp:\/\/newjo-imd[.]com\/common\/include\/library\/default.php<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C2 of httpMalice<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/https%3A%2F%2Fwww.yespp.co.kr%2Fcommon%2Finclude%2Fcode%2Fout.php\/?icid=gl_sl_opentip-lnk_sm-team_950331764a55aedf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/www.yespp.co[.]kr\/common\/include\/code\/out.php<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 VSCode Tunneling using JScript<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns. Kimsuky has continuously introduced new malware variants [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[251,256,247,270,90,1152,296,248,1153,99,587,293,250,249,257],"tags":[91],"class_list":["post-3112","post","type-post","status-publish","format-standard","hentry","category-apt","category-apt-targeted-attacks","category-apt-reports","category-backdoor","category-cybersecurity","category-dropper","category-github","category-great-research","category-kimsuky","category-malware","category-rat","category-rc4","category-spear-phishing","category-targeted-attacks","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns. Kimsuky has continuously introduced new malware variants [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-14T12:04:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"28 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Kimsuky targets organizations with PebbleDash-based tools\",\"datePublished\":\"2026-05-14T12:04:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\"},\"wordCount\":5432,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"APT\",\"APT (Targeted attacks)\",\"APT reports\",\"Backdoor\",\"Cybersecurity\",\"Dropper\",\"GitHub\",\"GReAT research\",\"Kimsuky\",\"Malware\",\"RAT\",\"RC4\",\"Spear phishing\",\"Targeted attacks\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\",\"name\":\"Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\",\"datePublished\":\"2026-05-14T12:04:39+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kimsuky targets organizations with PebbleDash-based tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/","og_locale":"en_US","og_type":"article","og_title":"Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited","og_description":"Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group\u2019s latest campaigns. Kimsuky has continuously introduced new malware variants [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-14T12:04:39+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"28 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Kimsuky targets organizations with PebbleDash-based tools","datePublished":"2026-05-14T12:04:39+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/"},"wordCount":5432,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["APT","APT (Targeted attacks)","APT reports","Backdoor","Cybersecurity","Dropper","GitHub","GReAT research","Kimsuky","Malware","RAT","RC4","Spear phishing","Targeted attacks","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/","name":"Kimsuky targets organizations with PebbleDash-based tools - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg","datePublished":"2026-05-14T12:04:39+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/14081540\/SL-Kimsuki-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/14\/kimsuky-targets-organizations-with-pebbledash-based-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Kimsuky targets organizations with PebbleDash-based tools"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3112"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3112\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}