Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
Kimsuky, a known threat actor, has conducted advanced malicious campaigns targeting South Korean military and corporate entities through April 2026. These campaigns use sophisticated social engineering tactics such as fake security software installation pages and spoofed Webex meeting pages that leverage legitimate meeting schedules. A novel technique called JSONPing is employed to verify in real time if victims have executed the payload by querying localhost servers via JSONP. The threat actor also introduced a new variant of the HttpSpy malware featuring a three-stage execution chain with RC4 encryption, replacing the previous single-binary architecture. Attribution to Kimsuky is supported by code similarities, reused encryption keys, XAMPP certificate fingerprints, and ASN usage consistent with past operations. No known exploits in the wild or patches are indicated. The campaigns are specifically targeted at South Korea.
AI Analysis
Technical Summary
Kimsuky has deployed advanced malware campaigns targeting South Korean military and corporate sectors using tailored social engineering methods including fake security software and Webex meeting page spoofing. The threat actor introduced a JSONPing technique to confirm payload execution via JSONP queries to localhost. A new HttpSpy malware variant with a three-stage execution chain and RC4 encryption replaces the older single-binary version. Attribution is confirmed through multiple technical overlaps with historical Kimsuky activity. The campaigns leverage shared infrastructure and specific cryptographic artifacts. No patch or remediation details are provided, and no known exploits in the wild have been reported.
Potential Impact
The campaigns enable Kimsuky to conduct targeted espionage against South Korean military and corporate entities by deploying advanced malware capable of evading detection and confirming payload execution in real time. The use of social engineering and spoofed legitimate services increases the likelihood of successful compromise. The new HttpSpy variant's multi-stage execution and encryption techniques enhance its stealth and persistence capabilities. While no direct exploit or patch information is available, the impact is medium given the targeted nature and sophistication of the attacks.
Mitigation Recommendations
No official patch or remediation guidance is provided in the available information. Organizations should be aware of the social engineering tactics used, such as fake security software pages and Webex spoofing, and educate users accordingly. Monitoring for suspicious activity related to JSONPing queries or unusual multi-stage execution chains may help detect this threat. Since this is a targeted campaign against South Korean entities, tailored defensive measures and threat intelligence sharing are recommended. Patch status is not yet confirmed — check the vendor advisory or trusted threat intelligence sources for updates.
Affected Countries
South Korea
Indicators of Compromise
- domain: load.serverpit.com
- hash: c089457d5f4b22313b927bb36a320f8d7a1ddb6d5b82293dc2374dcfd4b1b8b2
- domain: load.erasecloud.n-e.kr
- hash: 784d9273c75e983f2b4730d1f2198cc44e9599709f4a5519a2bd3049095dc9d5
- hash: a2547836564b0732c6d02a78702da7e6
- hash: a581fdea0970f8a5b6cfec4853c802d7
- hash: a87cd5fd8fe223816005e81e0da70b21
- hash: b4dd4c76d7deef4cf532e240b7f84c9d
- hash: bd8e948a6e61436532cd2ed2b62db3f3
- hash: be31a38bab026f229afd5e3174c363f7
- hash: be978477fe7c179cb9607a6e08a05dff
- hash: bea602695d58cbf25fff058834e36c1d
- hash: c05f074c70a6cacb0e6f05578aab3c9d
- hash: c61a6efe1a169c6c1d8595af3ff0dd74
- hash: c6de1be41dcfbad9cae76c58eae7f5a3
- hash: cc837d2b2af4bd9c1c3faf61cefeb848
- hash: d09c0744273355b6da719fdb62923bed
- hash: dd47c97b44408e0a5ecd8f482fcd0dbc
- hash: ea5f32e1273ec93d43ee09a337fb60e1
- hash: f57a9e973e1cecd6b361467041e464f4
- hash: fcaf03060e34a73fe499b906492d9f13
- hash: 364cc871e66afe65e1845205105c3f53f34afc01
- hash: b44e800436b2892f7c8f9fbd93e5e17a2e1fde04
- hash: c124f019ddaef2606a7394b0b9bf7ae1a05ecda4
- hash: ca42cba2782a0b6952dd0425fa08cbd4de65f77fcc00e965ee97c39bea42eb18
- ip: 157.250.202.123
- ip: 27.102.113.106
- url: http://appview.imagetemplate.com/gateless_icon
- url: http://bigfile.jaycloudlab.com/download.php?id=745896
- url: http://download.birdriver.org/download.php?id=393156
- url: http://hdrgdrfes.chickenkiller.com/index.php
- url: http://load.erasecloud.n-e.kr/login.php
- url: http://load.serverpit.com/fwrite.php
- url: http://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless
- url: http://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=gateless
- url: http://www.ibizplus.n-e.kr/download.php?id=30382119
- url: http://www.ibizplus.n-e.kr/download.php?id=30382120
- url: http://www.ibizplus.n-e.kr/download.php?id=30382121
- url: https://appview.imagetemplate.com/babymetalsave_icon
- url: https://appview.imagetemplate.com/gateless_icon
- url: https://bigfile.crabdance.com/recaptcha.html
- url: https://conference.birdriver.org/
- url: https://download.birdriver.org/download.php?id=393156
- url: https://download.birdriver.org/download.php?id=425623
- url: https://load.erasecloud.n-e.kr/login.php
- url: https://load.serverpit.com/fwrite.php
- url: https://pipeline.embeddedonline.org/check.php?x-csrf-token=babymetalsave
- url: https://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless
- url: https://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=babymetalsave
- url: https://www.ibizplus.n-e.kr/install.html
- domain: appview.imagetemplate.com
- domain: bigfile.crabdance.com
- domain: bigfile.jaycloudlab.com
- domain: conference.birdriver.org
- domain: download.birdriver.org
- domain: hdrgdrfes.chickenkiller.com
- domain: pipeline.embeddedonline.org
- domain: www.ibizplus.n-e.kr
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
Description
Kimsuky, a known threat actor, has conducted advanced malicious campaigns targeting South Korean military and corporate entities through April 2026. These campaigns use sophisticated social engineering tactics such as fake security software installation pages and spoofed Webex meeting pages that leverage legitimate meeting schedules. A novel technique called JSONPing is employed to verify in real time if victims have executed the payload by querying localhost servers via JSONP. The threat actor also introduced a new variant of the HttpSpy malware featuring a three-stage execution chain with RC4 encryption, replacing the previous single-binary architecture. Attribution to Kimsuky is supported by code similarities, reused encryption keys, XAMPP certificate fingerprints, and ASN usage consistent with past operations. No known exploits in the wild or patches are indicated. The campaigns are specifically targeted at South Korea.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kimsuky has deployed advanced malware campaigns targeting South Korean military and corporate sectors using tailored social engineering methods including fake security software and Webex meeting page spoofing. The threat actor introduced a JSONPing technique to confirm payload execution via JSONP queries to localhost. A new HttpSpy malware variant with a three-stage execution chain and RC4 encryption replaces the older single-binary version. Attribution is confirmed through multiple technical overlaps with historical Kimsuky activity. The campaigns leverage shared infrastructure and specific cryptographic artifacts. No patch or remediation details are provided, and no known exploits in the wild have been reported.
Potential Impact
The campaigns enable Kimsuky to conduct targeted espionage against South Korean military and corporate entities by deploying advanced malware capable of evading detection and confirming payload execution in real time. The use of social engineering and spoofed legitimate services increases the likelihood of successful compromise. The new HttpSpy variant's multi-stage execution and encryption techniques enhance its stealth and persistence capabilities. While no direct exploit or patch information is available, the impact is medium given the targeted nature and sophistication of the attacks.
Mitigation Recommendations
No official patch or remediation guidance is provided in the available information. Organizations should be aware of the social engineering tactics used, such as fake security software pages and Webex spoofing, and educate users accordingly. Monitoring for suspicious activity related to JSONPing queries or unusual multi-stage execution chains may help detect this threat. Since this is a targeted campaign against South Korean entities, tailored defensive measures and threat intelligence sharing are recommended. Patch status is not yet confirmed — check the vendor advisory or trusted threat intelligence sources for updates.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant"]
- Adversary
- Kimsuky
- Pulse Id
- 6a19766cc7caf96e27eae35e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainload.serverpit.com | — | |
domainload.erasecloud.n-e.kr | — | |
domainappview.imagetemplate.com | — | |
domainbigfile.crabdance.com | — | |
domainbigfile.jaycloudlab.com | — | |
domainconference.birdriver.org | — | |
domaindownload.birdriver.org | — | |
domainhdrgdrfes.chickenkiller.com | — | |
domainpipeline.embeddedonline.org | — | |
domainwww.ibizplus.n-e.kr | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashc089457d5f4b22313b927bb36a320f8d7a1ddb6d5b82293dc2374dcfd4b1b8b2 | — | |
hash784d9273c75e983f2b4730d1f2198cc44e9599709f4a5519a2bd3049095dc9d5 | — | |
hasha2547836564b0732c6d02a78702da7e6 | — | |
hasha581fdea0970f8a5b6cfec4853c802d7 | — | |
hasha87cd5fd8fe223816005e81e0da70b21 | — | |
hashb4dd4c76d7deef4cf532e240b7f84c9d | — | |
hashbd8e948a6e61436532cd2ed2b62db3f3 | — | |
hashbe31a38bab026f229afd5e3174c363f7 | — | |
hashbe978477fe7c179cb9607a6e08a05dff | — | |
hashbea602695d58cbf25fff058834e36c1d | — | |
hashc05f074c70a6cacb0e6f05578aab3c9d | — | |
hashc61a6efe1a169c6c1d8595af3ff0dd74 | — | |
hashc6de1be41dcfbad9cae76c58eae7f5a3 | — | |
hashcc837d2b2af4bd9c1c3faf61cefeb848 | — | |
hashd09c0744273355b6da719fdb62923bed | — | |
hashdd47c97b44408e0a5ecd8f482fcd0dbc | — | |
hashea5f32e1273ec93d43ee09a337fb60e1 | — | |
hashf57a9e973e1cecd6b361467041e464f4 | — | |
hashfcaf03060e34a73fe499b906492d9f13 | — | |
hash364cc871e66afe65e1845205105c3f53f34afc01 | — | |
hashb44e800436b2892f7c8f9fbd93e5e17a2e1fde04 | — | |
hashc124f019ddaef2606a7394b0b9bf7ae1a05ecda4 | — | |
hashca42cba2782a0b6952dd0425fa08cbd4de65f77fcc00e965ee97c39bea42eb18 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip157.250.202.123 | — | |
ip27.102.113.106 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://appview.imagetemplate.com/gateless_icon | — | |
urlhttp://bigfile.jaycloudlab.com/download.php?id=745896 | — | |
urlhttp://download.birdriver.org/download.php?id=393156 | — | |
urlhttp://hdrgdrfes.chickenkiller.com/index.php | — | |
urlhttp://load.erasecloud.n-e.kr/login.php | — | |
urlhttp://load.serverpit.com/fwrite.php | — | |
urlhttp://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless | — | |
urlhttp://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=gateless | — | |
urlhttp://www.ibizplus.n-e.kr/download.php?id=30382119 | — | |
urlhttp://www.ibizplus.n-e.kr/download.php?id=30382120 | — | |
urlhttp://www.ibizplus.n-e.kr/download.php?id=30382121 | — | |
urlhttps://appview.imagetemplate.com/babymetalsave_icon | — | |
urlhttps://appview.imagetemplate.com/gateless_icon | — | |
urlhttps://bigfile.crabdance.com/recaptcha.html | — | |
urlhttps://conference.birdriver.org/ | — | |
urlhttps://download.birdriver.org/download.php?id=393156 | — | |
urlhttps://download.birdriver.org/download.php?id=425623 | — | |
urlhttps://load.erasecloud.n-e.kr/login.php | — | |
urlhttps://load.serverpit.com/fwrite.php | — | |
urlhttps://pipeline.embeddedonline.org/check.php?x-csrf-token=babymetalsave | — | |
urlhttps://pipeline.embeddedonline.org/check.php?x-csrf-token=gateless | — | |
urlhttps://pipeline.embeddedonline.org/download3.php?sessid=54126&user-token=babymetalsave | — | |
urlhttps://www.ibizplus.n-e.kr/install.html | — |
Threat ID: 6a198b22e29bf47b50e58d61
Added to database: 5/29/2026, 12:48:34 PM
Last enriched: 5/29/2026, 1:04:20 PM
Last updated: 5/29/2026, 7:31:37 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.