Disclosing new PebbleDash-based tools

216.73.217.22

Disclosing new PebbleDash-based tools

· Published 14/05/2026 13:16 · Modified 14/05/2026 18:13

Essential information

Published: 14/05/2026 13:16
Modified: 14/05/2026 18:13
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: appleseed babyshark coolclient dwagent happydoor hellodoor httpmalice httpspy httptroy kimsuky memload pebbledash randomquery south korea spear-phishing troll stealer tutrat valleyrat vscode tunneling xenorat xrat zichatbot
Tags: 2026-05-14 appleseed babyshark coolclient dwagent happydoor hellodoor httpmalice httpspy httptroy kimsuky memload pebbledash randomquery south korea spear-phishing troll stealer tutrat valleyrat vscode tunneling xenorat xrat zichatbot
Related entities: 25 indicators, 25 observables, 1 intrusion sets (apt), 20 techniques (mitre), 16 malware, 21 others

Description

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...