Kimsuky Targets South Korea with Advanced Malware and Social Engineering Tactics

Kimsuky (a North Korean APT) conducted targeted operations against South Korean military, government, corporate and healthcare organizations in March–April 2026, leveraging sophisticated social engineering (spoofed security software installers and fake Webex invitations) to deploy RATs and new malware families (HTTPSpy variants, HelloDoor, HttpMalice, enhanced HappyDoor) and to exfiltrate sensitive data including GPKI certificates. The report highlights covert C2 methods (VS Code tunneling, Cloudflare Quick Tunnel) and recommends monitoring and blocking those vectors, hardening endpoints, and detecting the described malware behaviors.