Kimsuky HttpSpy Malware Campaign Exploits Networks via Deceptive Overlays

ENKI Whitehat Threat Research Team reports that the Kimsuky HttpSpy campaign has been revamped into a sophisticated, three-stage espionage operation targeting South Korean military and corporate networks: operators use highly tailored phishing pages (impersonating messaging and Webex services) to deliver a dropper that installs MemLoader.dll/loadDll.dll, employs a novel JSONPing localhost check to verify infections, and ultimately runs a RAM-resident remote access trojan communicating over RC4-encrypted HTTP; investigators observed recurring infrastructure artifacts (default XAMPP certificate and specific ASNs) and note use of Korean-language code/comments likely aided by large language models.