North Korean Group Kimsuky Targets South Korean Entities with New Malware Arsenal

SEOUL — North Korean state-sponsored threat actor Kimsuky has deployed new malware and expanded its digital arsenal to target military and corporate entities in South Korea, security researchers said on Wednesday.

The campaign, detected on May 29, 2026, involves the use of HTTPSpy malware alongside newly identified tools including HelloDoor and Visual Studio Code tunnels. The group is employing social engineering tactics that mimic legitimate security tools and Webex meeting pages to infiltrate networks.

Kimsuky, a unit linked to the North Korean government, has maintained a persistent presence in the region for years, focusing on espionage and data theft. The latest operation marks a shift in technical capabilities, utilizing modern remote access methods to bypass traditional defenses. The group’s activities are part of a broader effort to gather intelligence on South Korean defense strategies and corporate secrets.

The attack vectors include phishing emails containing malicious attachments disguised as security software updates. Once executed, the malware establishes command-and-control channels through HTTPSpy, allowing attackers to exfiltrate sensitive data. The addition of HelloDoor and VS Code tunnels provides alternative pathways for maintaining access even if primary channels are blocked.

South Korean cybersecurity firms have issued alerts to government agencies and private sector organizations. The Ministry of Security and Public Administration has urged entities to update their intrusion detection systems and monitor for suspicious network activity. Corporate IT departments are advised to scrutinize unsolicited communications claiming to be from security vendors or meeting platforms.

The timing of the campaign coincides with heightened tensions on the Korean Peninsula. Analysts note that state-sponsored groups often increase operations during periods of geopolitical instability. The targeting of military entities suggests an intent to gather information on defense capabilities and troop movements.

Corporate targets include technology firms and defense contractors. The theft of intellectual property could provide North Korea with insights into South Korea’s industrial advancements. Previous Kimsuky operations have focused on financial institutions and media organizations, but the current scope indicates a broadening of objectives.

Security experts emphasize the sophistication of the social engineering techniques. The fake Webex pages are designed to replicate legitimate meeting interfaces, tricking users into entering credentials. The impersonation of security tools exploits trust in cybersecurity vendors, making the deception more effective.

No confirmed breaches have been reported as of Wednesday. However, the deployment of multiple malware variants suggests a coordinated effort to ensure persistence. The use of VS Code tunnels indicates an understanding of developer environments, potentially targeting software engineering teams within corporate structures.

The South Korean government has not commented on specific incidents but has reaffirmed its commitment to strengthening national cybersecurity infrastructure. International partners are being consulted to share threat intelligence and coordinate defensive measures.

Questions remain regarding the full extent of the campaign and whether any data has already been compromised. Security firms continue to monitor for new variants of the malware and additional indicators of compromise. The situation remains fluid as investigators work to trace the origin of the attacks and assess potential damage.