Disclosing new PebbleDash-based tools
Kaspersky researchers analyzed Kimsuky APT activity revealing new malware variants based on the PebbleDash platform, including HelloDoor, a Rust-based backdoor, and httpMalice using HTTP and Dropbox for communications. The group maintains persistence using legitimate tools such as VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access is gained through spear-phishing with malicious attachments disguised as documents. The primary targets are South Korean government and defense entities, with additional attacks observed in Brazil and Germany. The threat infrastructure uses free South Korean hosting and tunneling services like Cloudflare Quick Tunnels and Ngrok. PebbleDash and AppleSeed malware clusters share distribution methods, stolen certificates, and overlapping targets, indicating a single actor behind these campaigns.
AI Analysis
Technical Summary
This threat involves the Kimsuky advanced persistent threat group deploying new PebbleDash-based malware tools, including HelloDoor and httpMalice, alongside updated variants of MemLoad and httpTroy. The group uses spear-phishing for initial access, leveraging malicious document attachments. Persistence is maintained via legitimate software tools such as VSCode Tunneling authenticated through GitHub and DWAgent remote management. The infrastructure relies on free hosting and tunneling services primarily in South Korea. The campaigns target South Korean government and defense sectors, with additional activity in Brazil and Germany. Shared tactics, techniques, and procedures (TTPs) between PebbleDash and AppleSeed malware clusters suggest a single actor. No known exploits in the wild or patches are applicable as this is an active malware campaign rather than a software vulnerability.
Potential Impact
The impact includes unauthorized access and persistent presence within targeted networks, primarily South Korean government and defense organizations, potentially leading to espionage or data exfiltration. The use of legitimate tools for persistence complicates detection and mitigation. The threat also extends to entities in Brazil and Germany. There is no indication of direct exploitation of software vulnerabilities but rather a sophisticated malware campaign using social engineering and legitimate software abuse.
Mitigation Recommendations
No official patches or fixes apply as this is a malware campaign rather than a software vulnerability. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for unusual use of legitimate tools such as VSCode Tunneling and DWAgent, and restricting or monitoring the use of tunneling services like Cloudflare Quick Tunnels and Ngrok. Awareness training to recognize spear-phishing and attachment-based attacks is recommended. Since no vendor advisory indicates 'no action required' or official fixes, these mitigations are based on threat behavior analysis.
Affected Countries
South Korea, Brazil, Germany
Indicators of Compromise
- hash: 5c373c2116ab4a615e622f577e22e9be
- hash: d1ec20144c83bba921243e72c517da5e
- domain: female-disorder-beta-metropolitan.trycloudflare.com
- url: http://female-disorder-beta-metropolitan.trycloudflare.com/index.php
- domain: attach.docucloud.o-r.kr
- domain: load.auraria.org
- hash: 58ac2f65e335922be3f60e57099dc8a3
- domain: load.ssangyongcne.o-r.kr
- hash: 9fe43e08c8f446554340f972dac8a68c
- url: https://www.yespp.co.kr/common/include/code/out.php
- hash: d0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985
- hash: 8983ffa6da23e0b99ccc58c17b9788c7
- domain: load.erasecloud.n-e.kr
- domain: cms.spaceyou.o-r.kr
- domain: opedromos1.r-e.kr
- hash: 08160acf08fccecde7b34090db18b321
- hash: 52f1ff082e981cbdfd1f045c6021c63f
- hash: 65fc9f06de5603e2c1af9b4f288bb22c
- hash: 678fb1a87af525c33ba2492552d5c0e2
- hash: 7e0825019d0de0c1c4a1673f94043ddb
- hash: 8e15c4d4f71bdd9dbc48cd2cabc87806
- hash: 94faed9af49c98a89c8acc55e97276c9
- hash: 995a0a49ae4b244928b3f67e2bfd7a6e
- hash: 9ca5f93a732f404bbb2cee848f5bbda0
- hash: a7f0a18ac87e982d6f32f7a715e12532
- hash: c19aeaedbbfc4e029f7e9bdface495b9
- hash: c42ae004badddd3017adadbdd1421e00
- hash: f4465403f9693939fe9c439f0ab33610
- hash: f73ba062116ea9f37d072aa41c7f5108
- hash: 01cb397c7f056516be83bef2719925d281a10858
- hash: 1e3c50d64110be466c0b4a45222e81d2c9352888
- hash: 3d2ade9aa6a765e12349ae48cdcf78eebc7ea8ab
- hash: 415cd98b9353b098382bb1d38dd57a10b9db208e
- hash: a2940bc167b8400b61db7cd3c08c7e5e3d02a821
- hash: bf9252a2fb45be6893dd8870c0bf37e2e1766d61
- hash: 2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c
- hash: 4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14
- hash: 8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48
- url: http://newjo-imd.com/common/include/library/default.php
- url: https://file.bigcloud.n-e.kr/index.php
- url: https://www.pyrotech.co.kr/common/include/tech/default.php
- domain: newjo-imd.com
- domain: erp.spaceme.p-e.kr
- domain: file.bigcloud.n-e.kr
- domain: load.supershop.o-r.kr
- domain: load.yju.o-r.kr
- domain: morames.r-e.kr
- domain: node484265.dwservice.net
- domain: node828765.dwservice.net
- domain: node896147.dwservice.net
Disclosing new PebbleDash-based tools
Description
Kaspersky researchers analyzed Kimsuky APT activity revealing new malware variants based on the PebbleDash platform, including HelloDoor, a Rust-based backdoor, and httpMalice using HTTP and Dropbox for communications. The group maintains persistence using legitimate tools such as VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access is gained through spear-phishing with malicious attachments disguised as documents. The primary targets are South Korean government and defense entities, with additional attacks observed in Brazil and Germany. The threat infrastructure uses free South Korean hosting and tunneling services like Cloudflare Quick Tunnels and Ngrok. PebbleDash and AppleSeed malware clusters share distribution methods, stolen certificates, and overlapping targets, indicating a single actor behind these campaigns.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the Kimsuky advanced persistent threat group deploying new PebbleDash-based malware tools, including HelloDoor and httpMalice, alongside updated variants of MemLoad and httpTroy. The group uses spear-phishing for initial access, leveraging malicious document attachments. Persistence is maintained via legitimate software tools such as VSCode Tunneling authenticated through GitHub and DWAgent remote management. The infrastructure relies on free hosting and tunneling services primarily in South Korea. The campaigns target South Korean government and defense sectors, with additional activity in Brazil and Germany. Shared tactics, techniques, and procedures (TTPs) between PebbleDash and AppleSeed malware clusters suggest a single actor. No known exploits in the wild or patches are applicable as this is an active malware campaign rather than a software vulnerability.
Potential Impact
The impact includes unauthorized access and persistent presence within targeted networks, primarily South Korean government and defense organizations, potentially leading to espionage or data exfiltration. The use of legitimate tools for persistence complicates detection and mitigation. The threat also extends to entities in Brazil and Germany. There is no indication of direct exploitation of software vulnerabilities but rather a sophisticated malware campaign using social engineering and legitimate software abuse.
Mitigation Recommendations
No official patches or fixes apply as this is a malware campaign rather than a software vulnerability. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for unusual use of legitimate tools such as VSCode Tunneling and DWAgent, and restricting or monitoring the use of tunneling services like Cloudflare Quick Tunnels and Ngrok. Awareness training to recognize spear-phishing and attachment-based attacks is recommended. Since no vendor advisory indicates 'no action required' or official fixes, these mitigations are based on threat behavior analysis.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/"]
- Adversary
- Kimsuky
- Pulse Id
- 6a05af0979e3cc1214a50d4e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash5c373c2116ab4a615e622f577e22e9be | — | |
hashd1ec20144c83bba921243e72c517da5e | — | |
hash58ac2f65e335922be3f60e57099dc8a3 | — | |
hash9fe43e08c8f446554340f972dac8a68c | — | |
hashd0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985 | — | |
hash8983ffa6da23e0b99ccc58c17b9788c7 | — | |
hash08160acf08fccecde7b34090db18b321 | — | |
hash52f1ff082e981cbdfd1f045c6021c63f | — | |
hash65fc9f06de5603e2c1af9b4f288bb22c | — | |
hash678fb1a87af525c33ba2492552d5c0e2 | — | |
hash7e0825019d0de0c1c4a1673f94043ddb | — | |
hash8e15c4d4f71bdd9dbc48cd2cabc87806 | — | |
hash94faed9af49c98a89c8acc55e97276c9 | — | |
hash995a0a49ae4b244928b3f67e2bfd7a6e | — | |
hash9ca5f93a732f404bbb2cee848f5bbda0 | — | |
hasha7f0a18ac87e982d6f32f7a715e12532 | — | |
hashc19aeaedbbfc4e029f7e9bdface495b9 | — | |
hashc42ae004badddd3017adadbdd1421e00 | — | |
hashf4465403f9693939fe9c439f0ab33610 | — | |
hashf73ba062116ea9f37d072aa41c7f5108 | — | |
hash01cb397c7f056516be83bef2719925d281a10858 | — | |
hash1e3c50d64110be466c0b4a45222e81d2c9352888 | — | |
hash3d2ade9aa6a765e12349ae48cdcf78eebc7ea8ab | — | |
hash415cd98b9353b098382bb1d38dd57a10b9db208e | — | |
hasha2940bc167b8400b61db7cd3c08c7e5e3d02a821 | — | |
hashbf9252a2fb45be6893dd8870c0bf37e2e1766d61 | — | |
hash2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c | — | |
hash4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14 | — | |
hash8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfemale-disorder-beta-metropolitan.trycloudflare.com | — | |
domainattach.docucloud.o-r.kr | — | |
domainload.auraria.org | — | |
domainload.ssangyongcne.o-r.kr | — | |
domainload.erasecloud.n-e.kr | — | |
domaincms.spaceyou.o-r.kr | — | |
domainopedromos1.r-e.kr | — | |
domainnewjo-imd.com | — | |
domainerp.spaceme.p-e.kr | — | |
domainfile.bigcloud.n-e.kr | — | |
domainload.supershop.o-r.kr | — | |
domainload.yju.o-r.kr | — | |
domainmorames.r-e.kr | — | |
domainnode484265.dwservice.net | — | |
domainnode828765.dwservice.net | — | |
domainnode896147.dwservice.net | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://female-disorder-beta-metropolitan.trycloudflare.com/index.php | — | |
urlhttps://www.yespp.co.kr/common/include/code/out.php | — | |
urlhttp://newjo-imd.com/common/include/library/default.php | — | |
urlhttps://file.bigcloud.n-e.kr/index.php | — | |
urlhttps://www.pyrotech.co.kr/common/include/tech/default.php | — |
Threat ID: 6a0612b1ec166c07b002253c
Added to database: 5/14/2026, 6:21:37 PM
Last enriched: 5/14/2026, 6:37:32 PM
Last updated: 5/15/2026, 6:30:42 AM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.