Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged

The article reports that the North Korean threat actor Kimsuky is conducting targeted campaigns against South Korean military and corporate entities using sophisticated social engineering, HTTPSpy RAT, and newly enhanced malware families such as HelloDoor, HttpMalice, HttpTroy, AppleSeed, and HappyDoor.[1] It also details abuse of legitimate remote tunneling features in Microsoft VS Code and Cloudflare Quick Tunnels, plus the likely use of large language models (LLMs) to develop malware like the Rust-based HelloDoor, indicating a tactical shift toward flexible, covert C2 and rapid tooling evolution.[1] From a CyberSE.AI perspective, the documented use of LLMs to assist malware development and the abuse of remote tunneling services map directly to AI agent abuse risks: similar LLM-capable agents or code-assist systems in enterprises could be misused to generate, maintain, or deploy malware, and to orchestrate stealthy remote access channels if not tightly governed. Organizations running AI-enabled development or operations pipelines should adopt continuous AI red teaming, harden agent tool access, and audit business logic to prevent LLM-powered agents from being repurposed for intru