{ "name": "Disclosing new PebbleDash-based tools", "slug": "disclosing-new-pebbledash-based-tools", "description": "Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...", "published": "2026-05-14T11:16:25.351000+00:00", "created_at": "2026-05-14T18:13:50.689000+00:00", "modified_at": "2026-05-14T16:13:50+00:00", "created_at_opencti": "2026-05-14T18:13:50.689000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "appleseed", "babyshark", "coolclient", "dwagent", "happydoor", "hellodoor", "httpmalice", "httpspy", "httptroy", "kimsuky", "memload", "pebbledash", "randomquery", "south korea", "spear-phishing", "troll stealer", "tutrat", "valleyrat", "vscode tunneling", "xenorat", "xrat", "zichatbot" ], "tags": [ "2026-05-14", "appleseed", "babyshark", "coolclient", "dwagent", "happydoor", "hellodoor", "httpmalice", "httpspy", "httptroy", "kimsuky", "memload", "pebbledash", "randomquery", "south korea", "spear-phishing", "troll stealer", "tutrat", "valleyrat", "vscode tunneling", "xenorat", "xrat", "zichatbot" ], "related_entities": { "indicators": [ { "id": "66e42c1c-20ce-4c03-aa69-f6bae73e46ff", "name": "d0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985" }, { "id": "1a5008c2-84e4-498c-bffd-03cd997b1707", "name": "node896147.dwservice.net" }, { "id": "5c7327e5-fd13-4c49-bec4-906b5ccd341a", "name": "attach.docucloud.o-r.kr" }, { "id": "28ffb298-2b36-48fb-a9c9-9e3f3c4816eb", "name": "erp.spaceme.p-e.kr" }, { "id": "1c279ad9-093b-4a60-9892-9ffbb0c1ef27", "name": "https://file.bigcloud.n-e.kr/index.php" }, { "id": "a49f1686-9b4e-4625-97a7-864812343d61", "name": "4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14" }, { "id": "36881210-fa5d-4928-a7b8-88bad6db24e2", "name": "load.auraria.org" }, { "id": "ce302c03-18f5-4d02-8619-d7518405b355", "name": "2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c" }, { "id": "39913907-4d2f-47de-8c90-817175cb0768", "name": "8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48" }, { "id": "295fced1-05d2-4290-b5c2-e93324b62298", "name": "http://newjo-imd.com/common/include/library/default.php" }, { "id": "b767fe3b-d46f-49ce-848b-e93c54936aa4", "name": "load.erasecloud.n-e.kr" }, { "id": "bf25957b-0b81-4127-ac29-d58190a3bfdf", "name": "cms.spaceyou.o-r.kr" }, { "id": "768035ac-abb0-4872-8abc-26824e24f93f", "name": "http://female-disorder-beta-metropolitan.trycloudflare.com/index.php" }, { "id": "90091538-9e07-418c-9d64-b2e541922430", "name": "load.yju.o-r.kr" }, { "id": "d2388250-b422-41ac-8bca-8d29d36e11f3", "name": "load.supershop.o-r.kr" }, { "id": "942c25f1-d675-48d8-8ced-662e65d02640", "name": "female-disorder-beta-metropolitan.trycloudflare.com" }, { "id": "cb4054f0-8e33-4406-b895-99c13d1a5203", "name": "https://www.yespp.co.kr/common/include/code/out.php" }, { "id": "62b55428-1c66-4e26-8723-011621b44514", "name": "morames.r-e.kr" }, { "id": "307172f7-b768-4f7a-af72-47dbd1cb8fe3", "name": "node828765.dwservice.net" }, { "id": "9c46c77d-5bc4-45b1-b620-01dbc9574fcc", "name": "newjo-imd.com" }, { "id": "317e1049-4511-49a7-8170-4dfa8e871768", "name": "file.bigcloud.n-e.kr" }, { "id": "0f953dd6-2f75-4bc6-9ac0-cf57af04c16c", "name": "https://www.pyrotech.co.kr/common/include/tech/default.php" }, { "id": "aa37bd9f-86c1-48ce-af65-15cd23dbf7cf", "name": "opedromos1.r-e.kr" }, { "id": "0ddc1de4-040c-41da-9326-dc69a9dfd8c1", "name": "node484265.dwservice.net" }, { "id": "481f9a6c-d6c0-45d7-a0e6-7cf97a2f8aa3", "name": "load.ssangyongcne.o-r.kr" } ], "intrusion_sets": [ { "id": "294d962a-b24e-446b-8e2d-3706cb1316b3", "name": "Kimsuky", "slug": "kimsuky" } ], "attack_patterns": [ { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "36d26fbc-439e-460e-bb28-0935ad0c1b8a", "name": "T1090.001" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "malware": [ { "id": "39c94ae8-f0df-492e-9643-85d339a368f4", "name": "xRAT", "slug": "xrat" }, { "id": "d395223d-a8c1-4c05-bc6e-03f75de5fde3", "name": "BabyShark - S0414", "slug": "babyshark-s0414" }, { "id": "316f008f-d739-4911-8eb6-ff5c3bfa7657", "name": "CoolClient", "slug": "coolclient" }, { "id": "9c08757d-bd59-45d1-8174-ac5b1ab454f2", "name": "XenoRAT", "slug": "xenorat" }, { "id": "29b6dc89-de85-44dc-8717-b2776b33054b", "name": "Troll Stealer", "slug": "troll-stealer" }, { "id": "209f47b2-56aa-474d-ae60-b484f9bf1ec1", "name": "AppleSeed - S0622", "slug": "appleseed-s0622" }, { "id": "7fdfd6c4-dd27-4e78-aa8a-08fa586356e1", "name": "ZiChatBot", "slug": "zichatbot" }, { "id": "f8879be0-dea7-4e8d-9aba-78c8ac8c6207", "name": "ValleyRAT", "slug": "valleyrat" }, { "id": "bbde8965-db04-43ea-99d7-f6228abe5fcf", "name": "RandomQuery", "slug": "randomquery" }, { "id": "c1c5645a-2c69-48b5-a3b4-5302ea4f0846", "name": "MemLoad", "slug": "memload" }, { "id": "1fea08ca-5690-4c60-b24a-b934bd1b39e0", "name": "TutRAT", "slug": "tutrat" }, { "id": "05ad42ac-09fd-4615-a3d3-377c8c8a671b", "name": "HelloDoor", "slug": "hellodoor" }, { "id": "aa7285a4-052c-4cff-a1fa-b69b18f516e0", "name": "HappyDoor", "slug": "happydoor" }, { "id": "aeee6188-90cb-4100-a126-358dfaa73d57", "name": "httpMalice", "slug": "httpmalice" }, { "id": "2e51fa1f-23db-4ca7-9c5f-db86c8582193", "name": "HttpSpy", "slug": "httpspy" }, { "id": "224830d5-bd09-494a-b45b-1396ad3100c7", "name": "httpTroy", "slug": "httptroy" } ], "observables": [ { "id": "d76338c7-52ff-4453-9d94-7e69d8af900d", "name": "newjo-imd.com" }, { "id": "876aef23-48e9-4c4b-8003-6c9cb86a760e", "name": "load.erasecloud.n-e.kr" }, { "id": "e51faeb8-710e-437d-af39-f59013749449", "name": "node484265.dwservice.net" }, { "id": "a3accde6-d754-47b5-8cfc-cbe99273c1ec", "name": "opedromos1.r-e.kr" }, { "id": "3a77e886-45c1-42b5-9fd1-80898077a56e", "name": "node828765.dwservice.net" }, { "id": "a42deabf-3a95-4054-9e3a-70e796b82d53", "name": "attach.docucloud.o-r.kr" }, { "id": "52a17583-8ead-421c-af3e-7f7e2180701b", "name": "morames.r-e.kr" }, { "id": "89a3f8f1-98f4-4b2c-a4b2-bf1d812c8f21", "name": "node896147.dwservice.net" }, { "id": "b77950cb-a698-4acd-a4e5-cc27e869d3ad", "name": "load.auraria.org" }, { "id": "ec49b63d-1b9e-4283-905d-b6e6c78fefcc", "name": "load.ssangyongcne.o-r.kr" }, { "id": "b2372e03-44b9-47a6-a3be-18d23582d264", "name": "cms.spaceyou.o-r.kr" }, { "id": "f4155979-cb08-4315-a14a-a15d7ac7c421", "name": "load.supershop.o-r.kr" }, { "id": "3eb23739-2f16-446e-a47d-8cdb980e9e2f", "name": "file.bigcloud.n-e.kr" }, { "id": "4dd4758f-c518-49d8-8f8c-1d42212027e2", "name": "erp.spaceme.p-e.kr" }, { "id": "2b71ae0f-4519-4479-90ef-9e8d338c3af5", "name": "load.yju.o-r.kr" }, { "id": "0190fe51-c9bc-42db-9e84-6cebf32ddf1e", "name": "female-disorder-beta-metropolitan.trycloudflare.com" }, { "id": "08e1cd5e-7221-4e1f-8923-9d8c74894586", "name": "https://file.bigcloud.n-e.kr/index.php" }, { "id": "e6b4abe5-3caa-46c4-9d63-10d3b3b91057", "name": "http://newjo-imd.com/common/include/library/default.php" }, { "id": "ffe147cb-9528-44f2-95d7-bf9f44f8944d", "name": "https://www.yespp.co.kr/common/include/code/out.php" }, { "id": "70d04153-0300-47ff-85e4-2d996feec1c8", "name": "https://www.pyrotech.co.kr/common/include/tech/default.php" }, { "id": "10ec0f0e-2757-4292-9800-78a4e033173e", "name": "http://female-disorder-beta-metropolitan.trycloudflare.com/index.php" }, { "id": "", "name": "d0912a47413338a1a79eef767aa33135f1e3ac66dfb6f6d1c8dbec72c892b985" }, { "id": "", "name": "4ac02dc231f2546ce64335729145db672b5ab01d8943df8a550cc77fc436df14" }, { "id": "", "name": "2d597c3a726970927b302bf015cec4e37cdc974959cb846dbcb23cdb46386a6c" }, { "id": "", "name": "8779580d97d5a1d9c612cee745a7097483fc1643e38d7c1574670f56bc7abb48" } ], "others": [ { "id": "", "name": "Energy" }, { "id": "", "name": "Manufacturing" }, { "id": "", "name": "Health" }, { "id": "", "name": "Government and administrations" }, { "id": "", "name": "Defense" }, { "id": "", "name": "node896147.dwservice.net" }, { "id": "", "name": "attach.docucloud.o-r.kr" }, { "id": "", "name": "erp.spaceme.p-e.kr" }, { "id": "", "name": "load.auraria.org" }, { "id": "", "name": "load.erasecloud.n-e.kr" }, { "id": "", "name": "cms.spaceyou.o-r.kr" }, { "id": "", "name": "load.yju.o-r.kr" }, { "id": "", "name": "load.supershop.o-r.kr" }, { "id": "", "name": "female-disorder-beta-metropolitan.trycloudflare.com" }, { "id": "", "name": "morames.r-e.kr" }, { "id": "", "name": "node828765.dwservice.net" }, { "id": "", "name": "newjo-imd.com" }, { "id": "", "name": "file.bigcloud.n-e.kr" }, { "id": "", "name": "opedromos1.r-e.kr" }, { "id": "", "name": "node484265.dwservice.net" }, { "id": "", "name": "load.ssangyongcne.o-r.kr" } ] }, "external_refs": [ { "id": "676aa43c-9737-4f30-8e10-caf465ee20b0", "standard_id": "external-reference--20cc1788-70d4-5197-8c52-e8f9d56f84df", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "hash": null, "external_id": null, "created": "2026-05-14T18:13:45.488Z", "modified": "2026-05-14T18:13:45.488Z", "createdById": null }, { "id": "d21a79ef-d08a-42a2-9c91-01ba072102c5", "standard_id": "external-reference--be3023c8-3b4c-513a-97bc-a3f444283090", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e", "hash": null, "external_id": "6a05af0979e3cc1214a50d4e", "created": "2026-05-14T18:13:45.414Z", "modified": "2026-05-14T18:13:45.414Z", "createdById": null } ] }