Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
Contents
Executive Summary
Through April 2026, we identified multiple cases where Kimsuky deployed malware against South Korean military and corporate targets.
Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule.
We identified a technique ("JSONPing") in which the distribution page uses JSONP to verify in real time whether the victim has executed the malware.
We identified the final payload as an HttpSpy variant, now operating through a new three-stage execution chain (Installer - Loader - HttpSpy) that replaced the previous single-binary architecture.
We confirmed several indicators linking to Kimsuky across attack infrastructure, code patterns, and encryption key reuse.
1. Overview
This report details how Kimsuky targeted South Korean military and enterprises through April 2026, combining tailored social engineering with a revamped HttpSpy execution chain.
Our analysis of the Webex-spoofing case revealed the full execution chain of the final payload, …
Through April 2026, we identified multiple cases where Kimsuky deployed malware against South Korean military and corporate targets.
Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule.
We identified a technique ("JSONPing") in which the distribution page uses JSONP to verify in real time whether the victim has executed the malware.
We identified the final payload as an HttpSpy variant, now operating through a new three-stage execution chain (Installer - Loader - HttpSpy) that replaced the previous single-binary architecture.
We confirmed several indicators linking to Kimsuky across attack infrastructure, code patterns, and encryption key reuse.
1. Overview
This report details how Kimsuky targeted South Korean military and enterprises through April 2026, combining tailored social engineering with a revamped HttpSpy execution chain.
Our analysis of the Webex-spoofing case revealed the full execution chain of the final payload, …
IoC
http://hdrgdrfes.chickenkiller.com/index.php
https://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless
http://27.102.113.106
http://o-r.kr
https://load.serverpit.com/fwrite.php
https://appview.imagetemplate.com/babymetalsave_icon<Counter
http://p-e.kr
https://www.ibizplus.n-e.kr/install.html
https://download.birdriver.org/download.php?id=425623
http://163.245.215.46
http://n-e.kr
http://2.2.2.2
https://blog.alyac.co.kr/3754
http://r-e.kr
https://load.erasecloud.n-e.kr/login.php
http://kro.kr
https://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=babymetalsave
http://163.245.221.218
https://pipeline.embeddedonline.org/check.php?x-csrf-token=babymetalsave
https://appview.imagetemplate.com/gateless_icon<Counter
https://meet1754245389211-9925.webex.com/meet1754245389211-9925/j.php?MTID=mb755b0b9133ae8f9e3608b0b519d6a35
https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis
https://conference.birdriver.org/
https://bigfile.crabdance.com/recaptcha.html
https://download.birdriver.org/download.php?id=393156
http://157.250.202.123
157.250.202.123
163.245.215.46
120.0.0.0
163.245.221.218
27.102.113.106
2.2.2.2
b755b0b9133ae8f9e3608b0b519d6a35
https://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless
http://27.102.113.106
http://o-r.kr
https://load.serverpit.com/fwrite.php
https://appview.imagetemplate.com/babymetalsave_icon<Counter
http://p-e.kr
https://www.ibizplus.n-e.kr/install.html
https://download.birdriver.org/download.php?id=425623
http://163.245.215.46
http://n-e.kr
http://2.2.2.2
https://blog.alyac.co.kr/3754
http://r-e.kr
https://load.erasecloud.n-e.kr/login.php
http://kro.kr
https://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=babymetalsave
http://163.245.221.218
https://pipeline.embeddedonline.org/check.php?x-csrf-token=babymetalsave
https://appview.imagetemplate.com/gateless_icon<Counter
https://meet1754245389211-9925.webex.com/meet1754245389211-9925/j.php?MTID=mb755b0b9133ae8f9e3608b0b519d6a35
https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis
https://conference.birdriver.org/
https://bigfile.crabdance.com/recaptcha.html
https://download.birdriver.org/download.php?id=393156
http://157.250.202.123
157.250.202.123
163.245.215.46
120.0.0.0
163.245.221.218
27.102.113.106
2.2.2.2
b755b0b9133ae8f9e3608b0b519d6a35