Home > Security > Security News

Kimsuky PebbleDash and AppleSeed Malware Campaigns

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
South Korea - Map - Covert access
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Targeted sectors: Operations focused on South Korean entities, alongside defense targets in Brazil and Germany.
  • Malware variants: Threat actors deployed HelloDoor, httpMalice, MemLoad, httpTroy, AppleSeed, and HappyDoor malware.
  • Legitimate tools: Attackers abused VSCode tunneling, GitHub authentication, and DWAgent for post-exploitation.

A new suite of PebbleDash-based tools was linked to the AppleSeed malware cluster in observed campaigns attributed to the advanced persistent threat  (APT) group Kimsuky, also recognized under the threat aliases APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail. 

The campaign disseminated backdoors such as HelloDoor, httpMalice, MemLoad, httpTroy, AppleSeed, and HappyDoor, leveraging legitimate tools such as VSCode and DWAgent.

Kimsuky Payload Delivery and Post-Exploitation

To secure initial access, Kimsuky utilized highly targeted spearphishing emails containing malicious attachments, occasionally leveraging instant messengers to initiate contact. Upon successful initial compromise, the operators utilized diverse droppers formatted as JSE, PIF, SCR, and EXE files, Kaspersky researchers have discovered

Updated AppleSeed infection chain | Source: Kaspersky
Updated AppleSeed infection chain | Source: Kaspersky

These execution chains subsequently deployed multiple malware families into the target environments, specifically dropping the HelloDoor, httpMalice, MemLoad, httpTroy, AppleSeed, and HappyDoor variants to establish persistent backdoor access.

Timeline of the AppleSeed and PebbleDash malware families | Source: Kaspersky
Timeline of the AppleSeed and PebbleDash malware families | Source: Kaspersky

For post-exploitation persistence and covert command execution, Kimsuky abused legitimate infrastructure. The group leveraged Visual Studio Code (VSCode) tunneling combined with GitHub authentication mechanisms, alongside the remote administration tool DWAgent and Cloudflare Quick Tunnels. 

Creating a tunnel using VSCode CLI | Source: Kaspersky
Creating a tunnel using VSCode CLI | Source: Kaspersky

Command-and-control (C2) communications were predominantly routed through free South Korean hosting domains to obfuscate malicious network traffic.

Global Targets and Sector Focus

The cyberespionage campaigns predominantly targeted public and private entities within South Korea. However, the geographic scope expanded as PebbleDash attacks emerged in Brazil and Germany, prioritizing organizations within the defense sector. 

At the same time, the AppleSeed malware cluster demonstrated a distinct focus on compromising government organizations.

In October 2025, TigerJack malware was distributed via malicious VSCode extensions, infecting over 17,000 developers. In March 2026, a GitHub phishing campaign targeted developers with fake VS Code alerts urging them to patch fabricated CVEs.

Early this year, FBI warned a Kimsuky spearphishing campaign targeted the U.S. with malicious QR codes (quishing).

In other recent news, Suspected Belarusian state-nexus actors target Ukraine with a new Cobalt Strike cyberespionage campaign.

Add a Comment
Related
Suspected Belarusian State Nexus Actors Target Ukraine with New Cobalt Strike Cyberespionage Campaign
OpenAI Logo
OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Fortinet Patches Critical RCE Vulnerabilities in FortiSandbox and FortiAuthenticator
Most Popular
Suspected Belarusian State Nexus Actors Target Ukraine with New Cobalt Strike Cyberespionage Campaign
OpenAI Logo
OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Iran internet blackout women impact online livelihood hit!!!
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia official says full VPN ban impossible in crackdowns
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected Belarusian State Nexus Actors Target Ukraine with New Cobalt Strike Cyberespionage Campaign
OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown

Most Popular
Suspected Belarusian State Nexus Actors Target Ukraine with New Cobalt Strike Cyberespionage Campaign
OpenAI Logo
OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Iran internet blackout women impact online livelihood hit!!!
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia official says full VPN ban impossible in crackdowns
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected Belarusian State Nexus Actors Target Ukraine with New Cobalt Strike Cyberespionage Campaign
OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: