Threat Intelligence North Korean hackers Kimsuky target South Korea with new malware variants May 29, 2026 Share By SC Staff Per The Hacker News, North Korean state-sponsored threat actor Kimsuky has been linked to a series of sophisticated cyberattacks against South Korean military and corporate entities during March and April 2026, employing novel social engineering tactics and advanced malware. Kimsuky, also known as Velvet Chollima, utilized spoofed security software installation pages and fake Webex meeting invitations to deliver malware. A variant of the HTTPSpy remote access trojan was disguised as legitimate security software installers, a tactic consistently used by the group since 2023. In one campaign, malicious payloads were distributed through a fake webpage impersonating a B2B messaging service's security software installer, targeting messaging administrators. In another, a counterfeit Cisco Webex page tricked victims into downloading an encrypted JavaScript file, leading to the deployment of the HTTPSpy RAT. Kimsuky also leveraged Visual Studio Code tunneling and Cloudflare Quick Tunnels for covert remote access, bypassing traditional command-and-control channels. The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction. These evolving tactics highlight Kimsuky's adaptability and persistent threat to various sectors in South Korea, including defense, government, and healthcare. Source: The Hacker News SC Staff Related Threat Intelligence New threat actor JINX-0164 targets crypto firms with macOS malware SC Staff May 29, 2026 The campaign, active since mid-2025, uses recruitment-themed social engineering to lure developers into downloading a Python-based infostealer and remote access trojan named AUDIOFIX. Threat Management Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor Laura French May 27, 2026 Career-themed phishing lures targeted employees of US domestic airlines during Operation Epic Fury. Threat Intelligence Iranian-backed hackers linked to Los Angeles transit system breach SC Staff May 26, 2026 The hacktivist group Ababil of Minab initially claimed responsibility for the breach, stating they had stolen and subsequently deleted data from the Los Angeles County Metropolitan Transportation Authority (LACMTA) systems. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting DNS Spoofing Deauthentication Attack Defacement Dictionary Attack Distributed Scans DumpSec Google Hacking Hybrid Attack Password Cracking You can skip this ad in 5 seconds