Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant

2026-05-27 ENKI

https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant

Thumbnail for Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant

ENKI Whitehat reported Kimsuky malware delivery cases targeting South Korean military and corporate environments through April 2026. The actor used fake security software installation pages and a Webex-themed lure based on a legitimate meeting schedule, while distribution pages used JSONPing to query localhost services created by malware and verify victim execution. The Webex chain delivered a new HttpSpy variant through installer, loader, and in-memory main module stages, with persistence under a Run key and C2 over encrypted HTTP POST. ENKI linked the activity to Kimsuky through shared RC4 keys, infrastructure overlaps, code patterns, export names, default XAMPP certificate reuse, and artifacts associated with prior HttpSpy, HttpTroy, and HelloDoor-related activity.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN serverpit.com 2026-05-27 2026-06-01
HASH b18118f61a4dcb51df5e189c40dd3280 2026-05-27 2026-05-27
HASH 02897faac6e41781152f480565e5d572 2026-05-27 2026-05-27
HASH 91d1a7153606dedef92502553962cf67 2026-05-27 2026-05-27
HASH 7b9484d719f39faa71abd90f57525cc8 2026-05-27 2026-05-27
HASH 50e89a4e50392e4235822e9e92df4c32 2026-05-27 2026-05-27
HASH 1efaf988fded55cd3b974c66f4ca8f7e 2026-05-27 2026-05-27
HASH c05f074c70a6cacb0e6f05578aab3c9d 2026-05-27 2026-05-27
HASH a87cd5fd8fe223816005e81e0da70b21 2026-05-27 2026-05-27
HASH 3315229011b2fa2b05bd4c7b4fbb58e3 2026-05-27 2026-05-27
HASH bd8e948a6e61436532cd2ed2b62db3f3 2026-05-27 2026-05-27
HASH 00fd7272f9a3044b5f62680d9e576e55 2026-05-27 2026-05-27
HASH 39e091e981d9daab56e680927508bd1f 2026-05-27 2026-05-27
HASH 3369b911cf3706a2660d2af9b3c35f9a 2026-05-27 2026-05-27
HASH f57a9e973e1cecd6b361467041e464f4 2026-05-27 2026-05-27
HASH dd47c97b44408e0a5ecd8f482fcd0dbc 2026-05-27 2026-05-27
HASH fcaf03060e34a73fe499b906492d9f13 2026-05-27 2026-05-27
HASH d09c0744273355b6da719fdb62923bed 2026-05-27 2026-05-27
HASH 8833a270ddef0f464d5916958b6778e6 2026-05-27 2026-05-27
HASH be978477fe7c179cb9607a6e08a05dff 2026-05-27 2026-05-27
HASH 9df5ca76ac085b89c1ddcb3963e9fe97 2026-05-27 2026-05-27
HASH a581fdea0970f8a5b6cfec4853c802d7 2026-05-27 2026-05-27
HASH 50f619aaba1d28882022ced135b13a07 2026-05-27 2026-05-27
HASH c6de1be41dcfbad9cae76c58eae7f5a3 2026-05-27 2026-05-27
HASH c61a6efe1a169c6c1d8595af3ff0dd74 2026-05-27 2026-05-27
HASH be31a38bab026f229afd5e3174c363f7 2026-05-27 2026-05-27
HASH b4dd4c76d7deef4cf532e240b7f84c9d 2026-05-27 2026-05-27
HASH 6d2dfd7ca77530afec000a197d6b8677 2026-05-27 2026-05-27
HASH 0d07fb6d1a3736ea543ab8364115e435 2026-05-27 2026-05-27
HASH ea5f32e1273ec93d43ee09a337fb60e1 2026-05-27 2026-05-27
HASH bea602695d58cbf25fff058834e36c1d 2026-05-27 2026-05-27
HASH 97b4c2e67e5e18b70949690a69820c2a 2026-05-27 2026-05-27
HASH cc837d2b2af4bd9c1c3faf61cefeb848 2026-05-27 2026-05-27
HASH 00f957b7dafd8d210e717041add02eab 2026-05-27 2026-05-27
HASH 4a476abcf741323b367eda0ec49f8c38 2026-05-27 2026-05-27
IPv4 27.102.113.106 2026-05-27 2026-05-27
IPv4 157.250.202.123 2026-05-27 2026-05-27
DOMAIN imagetemplate.com 2026-05-27 2026-05-27
DOMAIN jaycloudlab.com 2026-05-27 2026-05-27
URL https://bigfile.jaycloudlab.com… 2026-05-27 2026-05-27
URL https://load.erasecloud.n-e.kr/… 2026-05-27 2026-05-27
URL https://pipeline.embeddedonline… 2026-05-27 2026-05-27
DOMAIN embeddedonline.org 2026-05-27 2026-05-27
URL https://pipeline.embeddedonline… 2026-05-27 2026-05-27
DOMAIN hdrgdrfes.chickenkiller.com 2026-05-27 2026-05-27
URL http://hdrgdrfes.chickenkiller.… 2026-05-27 2026-05-27
URL https://download.birdriver.org/… 2026-05-27 2026-05-27
URL https://download.birdriver.org/… 2026-05-27 2026-05-27
DOMAIN birdriver.org 2026-05-27 2026-05-27
URL https://conference.birdriver.or… 2026-05-27 2026-05-27
URL https://load.serverpit.com/fwri… 2026-05-27 2026-05-27
URL https://www.ibizplus.n-e.kr/dow… 2026-05-27 2026-05-27
URL https://www.ibizplus.n-e.kr/dow… 2026-05-27 2026-05-27
URL https://www.ibizplus.n-e.kr/dow… 2026-05-27 2026-05-27
DOMAIN ibizplus.n-e.kr 2026-05-27 2026-05-27
URL https://www.ibizplus.n-e.kr/ins… 2026-05-27 2026-05-27

Related Actors

Related Reports

2026-01-13 • 45% Match
#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596
Shares tags: Kimsuky, T1059.003, T1070.004
« Back