Kimsuky (North Korea-nexus) — Rust-based HelloDoor + TryCloudflare-tunnel C2 expansion documented [SINGLE-SOURCE: Kaspersky]

Kaspersky GReAT's 2026-05-14 analysis adds HelloDoor (Rust backdoor) and TryCloudflare-tunnel-based C2 to the known Kimsuky toolchain, deployed alongside the legacy AppleseedDoor and PebbleDash implants. TryCloudflare-tunnel C2 abuse is a low-indicator-of-compromise technique: it uses legitimate Cloudflare infrastructure for C2 relay, producing no unusual certificate or domain patterns. The Rust rewrite reflects the broader nation-state operator trend toward memory-safe implant development to harden against fuzzing-based detection. Swiss entities in government, research, or think-tank roles with Korean Peninsula policy exposure should treat Kimsuky as an active threat.