Kimsuky Deploys New PebbleDash Malware Variants via VSCode Tunneling, Targeting South Korean Organizations
What Happened — Kimsuky (APT43) has been delivering spear‑phishing emails with malicious attachments that drop a suite of PebbleDash‑based malware (HelloDoor, httpMalice, MemLoad, httpTroy) and AppleSeed tools. The group now leverages legitimate Visual Studio Code tunneling and the open‑source DWAgent RMM platform to maintain persistence and conduct post‑exploitation actions.
Why It Matters for TPRM —
- The use of legitimate development tools (VSCode) makes detection harder for downstream vendors.
- Remote monitoring agents (DWAgent) can be repurposed to pivot into third‑party environments.
- Campaigns have expanded beyond South Korea to Brazil and Germany, indicating a broader supply‑chain risk.
Who Is Affected — Government agencies, defense contractors, research institutions, and private enterprises in South Korea (and occasional victims in Brazil and Germany).
Recommended Actions —
- Review any third‑party relationships that provide VSCode or RMM services.
- Enforce strict email attachment scanning and user awareness training.
- Validate that remote monitoring tools are authorized and monitored for anomalous use.
Technical Notes — Initial access via spear‑phishing (malicious documents). Droppers delivered in JSE, PIF, SCR, EXE formats. Malware families: PebbleDash (HelloDoor, httpMalice, MemLoad, httpTroy) and AppleSeed (HappyDoor). Post‑exploitation tools: Visual Studio Code tunneling (GitHub auth) and DWAgent. C2 hosted on free South Korean domains, compromised sites, and tunneling services (Ngrok, VSCode). Source: SecureList – Kimsuky PebbleDash Campaigns