ENKI Whitehat identified Kimsuky malware delivery activity through April 2026 against South Korean military and enterprise-related targets. The campaigns used tailored lures, including fake domestic security software installation pages and a fake Webex meeting page built around a real meeting schedule. ENKI documented JSONPing, a JSONP-based localhost callback technique used by distribution pages to check whether malware is already running on the victim host. In the Webex chain, the final payload was a new HttpSpy variant using a three-stage installer, loader, and main module flow, with links to Kimsuky supported by reused RC4 keys, infrastructure, code patterns, export names, and certificate reuse.