Kimsuky (Velvet Chollima) carried out cyber attacks against South Korean military and corporate targets through March and April 2026. The activity used tailored social engineering, including spoofed security software installation pages and a fake Webex meeting page tied to a legitimate schedule. The campaign delivered a variant of the HTTPSpy malware family by disguising malicious installers as South Korean security software. In March 2026, a bogus page impersonated a B2B messaging service security installation page and targeted messaging administrators. The page offered two tools and led to downloads of nos-setup.exe or astx-setup.exe, which masqueraded as nProtect Online Security and AhnLab Safe Transaction. Both launched MemLoader.dll via regsvr32.exe, then removed the original binaries. The DLL created persistence with a scheduled task and contacted a command-and-control server to retrieve a further payload.
"Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule. The attacks have been found to deliver a variant of a known malware family dubbed HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023."
"In the latest campaign observed in March 2026, the adversary has been found to propagate malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service. Given the nature of the lure, it's suspected that the activity may have been specifically designed to single out messaging administrators within corporate environments."
"The page claims to offer two security tools: a firewall and a keyboard security program. Once unsuspecting users initiate the download, it results in the download of either of the two executables - "nos-setup.exe" and "astx-setup.exe" - that masquerade as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in the name, the malicious behavior embedded in them is identical."
"The primary responsibility of the binaries is to launch a second-stage DLL payload ("MemLoader.dll") via "regsvr32.exe," after which a batch script is run to delete themselves from disk. The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]