Kimsuky HTTPSpy + HelloDoor with VS Code/Cloudflare tunnel C2

ENKI WhiteHat and The Hacker News documented Kimsuky campaigns in March and April 2026 targeting South Korean military personnel and corporate entities with two malware chains (The Hacker News, 2026-05-29; ENKI WhiteHat, 2026-05-27). March chain: masquerade installers for nProtect Online Security and AhnLab Safe Transaction launch MemLoader.dll via regsvcs.exe, which downloads HTTPSpy. April chain: fake Webex meeting page delivers encrypted JavaScript (.jse extension) which stages a PowerShell downloader, ultimately installing HTTPSpy. HTTPSpy is a full-capability RAT (first observed 2022; previously used against a German defence manufacturer May–September 2024): RC4-encrypted C2, shell execution, file upload/download, screenshot capture, process injection, self-deletion. HelloDoor is a Rust-based PebbleDash variant (assessed LLM-assisted per ENKI): configurable sleep, command execution, directory traversal. C2 evasion: Kimsuky now abuses Visual Studio Code Remote Tunneling (authenticated via GitHub OAuth, registered via code --tunnel --name <name>) and Cloudflare Quick Tunnels (cloudflared.exe) — neither can be blocked by IP or domain without blocking Microsoft and Cloudflare respectively. JSONPing confirms active infections via a locally-running HTTP server, reducing exposure of attacker infrastructure. MITRE ATT&CK: T1036 (Masquerading), T1059.001 (PowerShell), T1059.007 (JavaScript), T1071 (Application Layer Protocol). Detection: hunt for regsvcs.exe as a parent of DLL loads in non-.NET-Framework contexts; alert on VS Code CLI processes with --tunnel argument from non-developer endpoints; audit GitHub OAuth app grants for unrecognised VS Code tunnel registrations; monitor cloudflared.exe on managed endpoints without prior baseline.

Kaspersky's Global Research and Analysis Team published a deep technical disclosure on 2026-05-14 covering Kimsuky (Ruby Sleet / APT43) campaigns observed during late 2025 and Q1 2026, documenting six malware families the actor is currently rotating (Kaspersky Securelist, 2026-05-14). The headline novelty is HelloDoor, the first Rust-based variant in the PebbleDash family (a backdoor platform Kimsuky appropriated from Lazarus around 2021); secondary additions are httpMalice (HTTP-only loader), MemLoad (reflective DLL loader), httpTroy (C2 backdoor) and continued use of AppleSeed / HappyDoor. The most operationally significant capability change is that HelloDoor's C2 channel uses Cloudflare Quick Tunnels via TryCloudflare — short-lived *.trycloudflare.com hostnames issued ad-hoc, terminating attacker control infrastructure behind Cloudflare's CDN, eliminating fixed C2 IPs and making network-layer indicator blocking impractical. Kaspersky verbatim: "Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language." Reported targeting: South Korean government, defence and medical sectors as the primary set, with documented spillover hits in Germany — the closest geographic proximity to Swiss government targets in recent Kimsuky reporting. Detection guidance from Kaspersky (paraphrased to avoid IOC reproduction): monitor for JSE/SCR/PIF droppers carrying Base64-encoded payloads; flag scheduled tasks under generic browser-update names (e.g. ChromeCheck, EdgeCheck); inspect VSCode tunnel authentications via GitHub for unrecognised tunnel names; alert on Rust-compiled PE images loading from non-standard paths and on outbound *.trycloudflare.com connections that don't match a developer's legitimate tunnel-use profile. Technique class: T1071.001 Application-layer C2 via web protocol + T1090.002 External Proxy + T1053.005 Scheduled Task. [SINGLE-SOURCE] — only Kaspersky GReAT carries this depth; included because Kaspersky is HIGH-reliability for North Korea-nexus reporting and the technical detail is defender-actionable. Marked at edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start).