Disclosing new PebbleDash-based tools
Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...
AI Analysis
Technical Summary
This threat involves the Kimsuky advanced persistent threat group deploying new PebbleDash-based malware tools, including HelloDoor and httpMalice, alongside updated variants of MemLoad and httpTroy. The group uses spear-phishing for initial access, leveraging malicious document attachments. Persistence is maintained via legitimate software tools such as VSCode Tunneling authenticated through GitHub and DWAgent remote management. The infrastructure relies on free hosting and tunneling services primarily in South Korea. The campaigns target South Korean government and defense sectors, with additional activity in Brazil and Germany. Shared tactics, techniques, and procedures (TTPs) between PebbleDash and AppleSeed malware clusters suggest a single actor. No known exploits in the wild or patches are applicable as this is an active malware campaign rather than a software vulnerability.
Potential Impact
The impact includes unauthorized access and persistent presence within targeted networks, primarily South Korean government and defense organizations, potentially leading to espionage or data exfiltration. The use of legitimate tools for persistence complicates detection and mitigation. The threat also extends to entities in Brazil and Germany. There is no indication of direct exploitation of software vulnerabilities but rather a sophisticated malware campaign using social engineering and legitimate software abuse.
Mitigation Recommendations
No official patches or fixes apply as this is a malware campaign rather than a software vulnerability. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for unusual use of legitimate tools such as VSCode Tunneling and DWAgent, and restricting or monitoring the use of tunneling services like Cloudflare Quick Tunnels and Ngrok. Awareness training to recognize spear-phishing and attachment-based attacks is recommended. Since no vendor advisory indicates 'no action required' or official fixes, these mitigations are based on threat behavior analysis.
Affected Countries
South Korea, Brazil, Germany
Indicators of Compromise
- hash: 5c373c2116ab4a615e622f577e22e9be
- hash: d1ec20144c83bba921243e72c517da5e
- domain: female-disorder-beta-metropolitan.trycloudflare.com
- url: http://female-disorder-beta-metropolitan.trycloudflare.com/index.php
- domain: attach.docucloud.o-r.kr
- domain: load.auraria.org
- hash: 58ac2f65e335922be3f60e57099dc8a3
- domain: load.ssangyongcne.o-r.kr
- hash: 9fe43e08c8f446554340f972dac8a68c
- url: https://www.yespp.co.kr/common/include/code/out.php
- hash: d0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985
- hash: 8983ffa6da23e0b99ccc58c17b9788c7
- domain: load.erasecloud.n-e.kr
- domain: cms.spaceyou.o-r.kr
- domain: opedromos1.r-e.kr
- hash: 08160acf08fccecde7b34090db18b321
- hash: 52f1ff082e981cbdfd1f045c6021c63f
- hash: 65fc9f06de5603e2c1af9b4f288bb22c
- hash: 678fb1a87af525c33ba2492552d5c0e2
- hash: 7e0825019d0de0c1c4a1673f94043ddb
- hash: 8e15c4d4f71bdd9dbc48cd2cabc87806
- hash: 94faed9af49c98a89c8acc55e97276c9
- hash: 995a0a49ae4b244928b3f67e2bfd7a6e
- hash: 9ca5f93a732f404bbb2cee848f5bbda0
- hash: a7f0a18ac87e982d6f32f7a715e12532
- hash: c19aeaedbbfc4e029f7e9bdface495b9
- hash: c42ae004badddd3017adadbdd1421e00
- hash: f4465403f9693939fe9c439f0ab33610
- hash: f73ba062116ea9f37d072aa41c7f5108
- hash: 01cb397c7f056516be83bef2719925d281a10858
- hash: 1e3c50d64110be466c0b4a45222e81d2c9352888
- hash: 3d2ade9aa6a765e12349ae48cdcf78eebc7ea8ab
- hash: 415cd98b9353b098382bb1d38dd57a10b9db208e
- hash: a2940bc167b8400b61db7cd3c08c7e5e3d02a821
- hash: bf9252a2fb45be6893dd8870c0bf37e2e1766d61
- hash: 2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c
- hash: 4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14
- hash: 8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48
- url: http://newjo-imd.com/common/include/library/default.php
- url: https://file.bigcloud.n-e.kr/index.php
- url: https://www.pyrotech.co.kr/common/include/tech/default.php
- domain: newjo-imd.com
- domain: erp.spaceme.p-e.kr
- domain: file.bigcloud.n-e.kr
- domain: load.supershop.o-r.kr
- domain: load.yju.o-r.kr
- domain: morames.r-e.kr
- domain: node484265.dwservice.net
- domain: node828765.dwservice.net
- domain: node896147.dwservice.net
Disclosing new PebbleDash-based tools
Description
Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the Kimsuky advanced persistent threat group deploying new PebbleDash-based malware tools, including HelloDoor and httpMalice, alongside updated variants of MemLoad and httpTroy. The group uses spear-phishing for initial access, leveraging malicious document attachments. Persistence is maintained via legitimate software tools such as VSCode Tunneling authenticated through GitHub and DWAgent remote management. The infrastructure relies on free hosting and tunneling services primarily in South Korea. The campaigns target South Korean government and defense sectors, with additional activity in Brazil and Germany. Shared tactics, techniques, and procedures (TTPs) between PebbleDash and AppleSeed malware clusters suggest a single actor. No known exploits in the wild or patches are applicable as this is an active malware campaign rather than a software vulnerability.
Potential Impact
The impact includes unauthorized access and persistent presence within targeted networks, primarily South Korean government and defense organizations, potentially leading to espionage or data exfiltration. The use of legitimate tools for persistence complicates detection and mitigation. The threat also extends to entities in Brazil and Germany. There is no indication of direct exploitation of software vulnerabilities but rather a sophisticated malware campaign using social engineering and legitimate software abuse.
Mitigation Recommendations
No official patches or fixes apply as this is a malware campaign rather than a software vulnerability. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for unusual use of legitimate tools such as VSCode Tunneling and DWAgent, and restricting or monitoring the use of tunneling services like Cloudflare Quick Tunnels and Ngrok. Awareness training to recognize spear-phishing and attachment-based attacks is recommended. Since no vendor advisory indicates 'no action required' or official fixes, these mitigations are based on threat behavior analysis.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/"]
- Adversary
- Kimsuky
- Pulse Id
- 6a05af0979e3cc1214a50d4e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash5c373c2116ab4a615e622f577e22e9be | — | |
hashd1ec20144c83bba921243e72c517da5e | — | |
hash58ac2f65e335922be3f60e57099dc8a3 | — | |
hash9fe43e08c8f446554340f972dac8a68c | — | |
hashd0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985 | — | |
hash8983ffa6da23e0b99ccc58c17b9788c7 | — | |
hash08160acf08fccecde7b34090db18b321 | — | |
hash52f1ff082e981cbdfd1f045c6021c63f | — | |
hash65fc9f06de5603e2c1af9b4f288bb22c | — | |
hash678fb1a87af525c33ba2492552d5c0e2 | — | |
hash7e0825019d0de0c1c4a1673f94043ddb | — | |
hash8e15c4d4f71bdd9dbc48cd2cabc87806 | — | |
hash94faed9af49c98a89c8acc55e97276c9 | — | |
hash995a0a49ae4b244928b3f67e2bfd7a6e | — | |
hash9ca5f93a732f404bbb2cee848f5bbda0 | — | |
hasha7f0a18ac87e982d6f32f7a715e12532 | — | |
hashc19aeaedbbfc4e029f7e9bdface495b9 | — | |
hashc42ae004badddd3017adadbdd1421e00 | — | |
hashf4465403f9693939fe9c439f0ab33610 | — | |
hashf73ba062116ea9f37d072aa41c7f5108 | — | |
hash01cb397c7f056516be83bef2719925d281a10858 | — | |
hash1e3c50d64110be466c0b4a45222e81d2c9352888 | — | |
hash3d2ade9aa6a765e12349ae48cdcf78eebc7ea8ab | — | |
hash415cd98b9353b098382bb1d38dd57a10b9db208e | — | |
hasha2940bc167b8400b61db7cd3c08c7e5e3d02a821 | — | |
hashbf9252a2fb45be6893dd8870c0bf37e2e1766d61 | — | |
hash2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c | — | |
hash4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14 | — | |
hash8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfemale-disorder-beta-metropolitan.trycloudflare.com | — | |
domainattach.docucloud.o-r.kr | — | |
domainload.auraria.org | — | |
domainload.ssangyongcne.o-r.kr | — | |
domainload.erasecloud.n-e.kr | — | |
domaincms.spaceyou.o-r.kr | — | |
domainopedromos1.r-e.kr | — | |
domainnewjo-imd.com | — | |
domainerp.spaceme.p-e.kr | — | |
domainfile.bigcloud.n-e.kr | — | |
domainload.supershop.o-r.kr | — | |
domainload.yju.o-r.kr | — | |
domainmorames.r-e.kr | — | |
domainnode484265.dwservice.net | — | |
domainnode828765.dwservice.net | — | |
domainnode896147.dwservice.net | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://female-disorder-beta-metropolitan.trycloudflare.com/index.php | — | |
urlhttps://www.yespp.co.kr/common/include/code/out.php | — | |
urlhttp://newjo-imd.com/common/include/library/default.php | — | |
urlhttps://file.bigcloud.n-e.kr/index.php | — | |
urlhttps://www.pyrotech.co.kr/common/include/tech/default.php | — |
Threat ID: 6a0612b1ec166c07b002253c
Added to database: 5/14/2026, 6:21:37 PM
Last enriched: 5/14/2026, 6:37:32 PM
Last updated: 6/10/2026, 3:51:08 PM
Views: 222
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.