Kaspersky researchers provide an in-depth technical analysis of new malware tools used by Kimsuky (APT43), a North Korean threat actor. The report covers the PebbleDash and AppleSeed malware clusters, detailing newly discovered variants: HelloDoor (first Rust-based PebbleDash backdoor using Cloudflare tunneling), httpMalice (latest PebbleDash backdoor with Dropbox and HTTP C2 variants), MemLoad (a loader with anti-VM checks that deploys httpTroy), and HappyDoor (an AppleSeed-based backdoor). Post-exploitation tactics include abuse of VSCode Remote Tunneling via GitHub authentication and deployment of the DWAgent remote administration tool. The group primarily targets South Korean defense, government, and public sector entities, with some attacks observed in Brazil and Germany. Infrastructure relies on free South Korean domain hosting, hacked websites, and tunneling services like Cloudflare Quick Tunnels and Ngrok. LLM-generated code comments were found in HelloDoor, suggesting AI-assisted development.
Table of contents
Executive summaryBackgroundInitial accessDeployed malwarePost-exploitationInfrastructureVictimsAttributionConclusionIndicators of compromiseSort: