ctipilot.ch

Kimsuky (Ruby Sleet / APT43) PebbleDash toolkit evolution — Rust-based HelloDoor variant + TryCloudflare quick-tunnel C2 (Kaspersky GReAT analysis); South Korea primary, Germany spillover

campaign · item:kimsuky-pebbledash-hellodoor-trycloudflare-tunnel-c2-evolution

Coverage timeline
2
first 2026-05-17 → last 2026-05-17
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
2
action_items, research
Co-occurring entities
2
see Related entities below
2026-05-172 appearances2026-05-17

Story timeline

  1. 2026-05-17CTI Daily Brief — 2026-05-17
    researchFirst coverage. SINGLE-SOURCE — Kaspersky GReAT primary. HelloDoor first Rust-based PebbleDash variant; TryCloudflare quick-tunnel C2 eliminates fixed C2 IPs. German targeting documented.
  2. 2026-05-17CTI Daily Brief — 2026-05-17
    action_itemsAction: hunt for *.trycloudflare.com outbound from non-developer endpoints; review VSCode tunnel auth; flag Rust PE from non-standard paths.

Where this entity is cited

  • research1
  • action_items1

Source distribution

  • securelist.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

All cited sources (2)

Items in briefs about Kimsuky (Ruby Sleet / APT43) PebbleDash toolkit evolution — Rust-based HelloDoor variant + TryCloudflare quick-tunnel C2 (Kaspersky GReAT analysis); South Korea primary, Germany spillover (1)

Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]

From CTI Daily Brief — 2026-05-17 · published 2026-05-17 · view item permalink →

Kaspersky's Global Research and Analysis Team published a deep technical disclosure on 2026-05-14 covering Kimsuky (Ruby Sleet / APT43) campaigns observed during late 2025 and Q1 2026, documenting six malware families the actor is currently rotating (Kaspersky Securelist, 2026-05-14). The headline novelty is HelloDoor, the first Rust-based variant in the PebbleDash family (a backdoor platform Kimsuky appropriated from Lazarus around 2021); secondary additions are httpMalice (HTTP-only loader), MemLoad (reflective DLL loader), httpTroy (C2 backdoor) and continued use of AppleSeed / HappyDoor. The most operationally significant capability change is that HelloDoor's C2 channel uses Cloudflare Quick Tunnels via TryCloudflare — short-lived *.trycloudflare.com hostnames issued ad-hoc, terminating attacker control infrastructure behind Cloudflare's CDN, eliminating fixed C2 IPs and making network-layer indicator blocking impractical. Kaspersky verbatim: "Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language." Reported targeting: South Korean government, defence and medical sectors as the primary set, with documented spillover hits in Germany — the closest geographic proximity to Swiss government targets in recent Kimsuky reporting. Detection guidance from Kaspersky (paraphrased to avoid IOC reproduction): monitor for JSE/SCR/PIF droppers carrying Base64-encoded payloads; flag scheduled tasks under generic browser-update names (e.g. ChromeCheck, EdgeCheck); inspect VSCode tunnel authentications via GitHub for unrecognised tunnel names; alert on Rust-compiled PE images loading from non-standard paths and on outbound *.trycloudflare.com connections that don't match a developer's legitimate tunnel-use profile. Technique class: T1071.001 Application-layer C2 via web protocol + T1090.002 External Proxy + T1053.005 Scheduled Task. [SINGLE-SOURCE] — only Kaspersky GReAT carries this depth; included because Kaspersky is HIGH-reliability for North Korea-nexus reporting and the technical detail is defender-actionable. Marked at edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start).