Disclosing new PebbleDash-based tools by Kimsuky
2026-05-14 • Kaspersky •
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
Kimsuky has expanded its PebbleDash and AppleSeed-related operations with newly documented tooling, including the Rust-based HelloDoor backdoor, httpMalice, MemLoad/httpTroy, AppleSeed, HappyDoor, VSCode Remote Tunneling, and DWAgent. The campaigns use spear-phishing attachments and varied droppers to compromise mainly South Korean public and private entities, with PebbleDash-linked activity also observed against defense organizations in Brazil and Germany. Kaspersky found overlapping distribution methods, target sectors, certificates, mutex patterns, and infrastructure between the PebbleDash and AppleSeed clusters, supporting medium-high confidence attribution to Kimsuky-affiliated clusters. The report highlights Kimsuky's use of legitimate remote access and tunneling services, Korean-language host profiling behavior, possible LLM-assisted Rust malware development, and C2 infrastructure hosted through free Korean domains, compromised websites, Cloudflare tunnels, and Dropbox.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | load.erasecloud.n-e.kr | 2026-05-27 | 2026-05-27 |
| URL | https://www.pyrotech.co.kr/comm… | 2026-05-15 | 2026-05-15 |
| DOMAIN | www.pyrotech.co.kr | 2026-05-15 | 2026-05-15 |
| DOMAIN | www.yespp.co.kr | 2026-01-21 | 2026-05-15 |
| URL | https://www.yespp.co.kr/common/… | 2026-01-21 | 2026-05-15 |
| DOMAIN | node484265.dwservice.net | 2026-05-14 | 2026-05-14 |
| DOMAIN | node828765.dwservice.net | 2026-05-14 | 2026-05-14 |
| DOMAIN | node896147.dwservice.net | 2026-05-14 | 2026-05-14 |
| URL | http://newjo-imd.com/common/inc… | 2026-05-14 | 2026-05-14 |
| URL | https://file.bigcloud.n-e.kr/in… | 2026-05-14 | 2026-05-14 |
| URL | http://female-disorder-beta-met… | 2026-05-14 | 2026-05-14 |
| DOMAIN | female-disorder-beta-metropolit… | 2026-05-14 | 2026-05-14 |
| DOMAIN | file.bigcloud.n-e.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | erp.spaceme.p-e.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | cms.spaceyou.o-r.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | load.supershop.o-r.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | attach.docucloud.o-r.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | load.yju.o-r.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | load.ssangyongcne.o-r.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | morames.r-e.kr | 2026-05-14 | 2026-05-14 |
| DOMAIN | opedromos1.r-e.kr | 2026-05-14 | 2026-05-14 |
| HASH | 678fb1a87af525c33ba2492552d5c0e2 | 2026-05-14 | 2026-05-14 |
| HASH | 9ca5f93a732f404bbb2cee848f5bbda0 | 2026-05-14 | 2026-05-14 |
| HASH | c42ae004badddd3017adadbdd1421e00 | 2026-05-14 | 2026-05-14 |
| HASH | 94faed9af49c98a89c8acc55e97276c9 | 2026-05-14 | 2026-05-14 |
| HASH | 08160acf08fccecde7b34090db18b321 | 2026-05-14 | 2026-05-14 |
| HASH | 7e0825019d0de0c1c4a1673f94043ddb | 2026-05-14 | 2026-05-14 |
| HASH | f73ba062116ea9f37d072aa41c7f5108 | 2026-05-14 | 2026-05-14 |
| HASH | 58ac2f65e335922be3f60e57099dc8a3 | 2026-05-14 | 2026-05-14 |
| HASH | 5c373c2116ab4a615e622f577e22e9be | 2026-05-14 | 2026-05-14 |
| HASH | f4465403f9693939fe9c439f0ab33610 | 2026-05-14 | 2026-05-14 |
| HASH | a7f0a18ac87e982d6f32f7a715e12532 | 2026-05-14 | 2026-05-14 |
| HASH | 8983ffa6da23e0b99ccc58c17b9788c7 | 2026-05-14 | 2026-05-14 |
| HASH | c19aeaedbbfc4e029f7e9bdface495b9 | 2026-05-14 | 2026-05-14 |
| HASH | 65fc9f06de5603e2c1af9b4f288bb22c | 2026-05-14 | 2026-05-14 |
| HASH | 8e15c4d4f71bdd9dbc48cd2cabc87806 | 2026-05-14 | 2026-05-14 |
| HASH | 9fe43e08c8f446554340f972dac8a68c | 2026-05-14 | 2026-05-14 |
| HASH | 52f1ff082e981cbdfd1f045c6021c63f | 2026-05-14 | 2026-05-14 |
| HASH | 995a0a49ae4b244928b3f67e2bfd7a6e | 2026-05-14 | 2026-05-14 |
| DOMAIN | newjo-imd.com | 2026-03-19 | 2026-05-14 |
| DOMAIN | load.auraria.org | 2025-10-30 | 2025-10-30 |
| HASH | d1ec20144c83bba921243e72c517da5e | 2025-07-08 | 2025-07-08 |