Kimsuky Targets South Korean Military and Corporate Entities with Spoofed Security Pages

The North Korean state‑sponsored threat actor Kimsuky, also known as Velvet Chollima, has been linked to a fresh set of cyber attacks that targeted South Korean military and corporate entities during March and April 2026. The attackers employed a range of tailored social engineering tactics, including spoofing security software installation pages and creating a fake Webex meeting page that leveraged legitimate Webex branding. The fake Webex page was designed to trick users into downloading a malicious add‑on that installed a backdoor on the victim’s system. Kimsuky also used phishing emails that referenced upcoming security updates, prompting recipients to click on malicious links. The campaign’s goal was to gain persistent access to sensitive military and corporate networks. The attackers leveraged the trust placed in well‑known software vendors and collaboration platforms to bypass security controls. Researchers identified the malicious payloads as a remote access trojan that could exfiltrate data and provide command‑and‑control capabilities. The activity underscores the continued threat posed by Kimsuky to South Korean critical infrastructure.

The spoofed security software pages used legitimate icons and branding to appear authentic, while the fake Webex page included a download link for a malicious installer. The attackers also used a custom domain that closely resembled the official Webex domain, making it difficult for users to detect the deception. The campaign included the use of a malicious PowerShell script that silently installed the backdoor and established a reverse shell to a remote server. The threat actor’s tactics were tailored to the specific target, with emails referencing the recipient’s organization and role. The researchers recommend verifying URLs, using web filtering, and implementing multi‑factor authentication for remote collaboration tools.