This report details how Kimsuky targeted South Korean military and enterprises through April 2026, combining tailored social engineering with a revamped HttpSpy execution chain.Our analysis of the Webex-spoofing case revealed the full execution chain of the final payload, an HttpSpy variant. Unlike previous versions of HttpSpy that operated as a single binary, this variant splits the installation process into three stages. In the Zsecurity software-spoofing case, we were only able to recover artifacts up to the downloader stage; however, we attributed both campaigns to the same threat actor based on shared RC4 keys, infrastructure, and code patterns.Kimsuky added JSONP communication functionality to the fake web pages, allowing them to query a local server set up by the malware on the victim's system. This enabled the page to check whether the malware had been executed and prompt installation if it had not (JSONPing; see Section 4.4). Additionally, we observed evidence that Kimsuky leveraged meeting schedule information from a presumably already-compromised victim to craft a fake meeting page and distribute malware to other participants.

Windows loads the appropriate kernel driver by interpreting USB Descriptor when a USB device is connected. If the data sent by the device is not properly validated, this can lead to kernel-level vulnerabilities.Local Privilege Escalation (LPE) via USB is possible in environments where physical access is available.In Active Directory environments, attackers can steal machine account credentials with SYSTEM integrity on a workstation and leverage them for lateral movement within the domain. Additionally, they can bypass some restrictions imposed by limited user environments in kiosk or POS devices, and similar conditions apply to public PCs and conference room devices.In this article, we discuss Windows USB driver vulnerabilities and demonstrate how an attacker can achieve SYSTEM integrity using a malformed USB device and a userland program. We share the full process, from vulnerability discovery to root cause analysis and exploit development.We are security researchers at ENKI WhiteHat and Windows bug hunters, Dongjun Kim and Jongseong Kim. We previously shared our research on Windows vulnerabilities in a prior post [link].

We recently identified multiple instances of malware on Github that abuse VS Code automation features. Our analysis attributes this activity to Contagious Interview, a DPRK-nexus campaign active since at least 2025-08 that primarily targets developers.In this campaign, threat actors typically pose as recruiters to approach targets. Under the guise of coding tests or video interviews, they lure victims into downloading malicious payloads such as BeaverTail, InvisibleFerret, and OtterCookie.The Github accounts identified in this investigation purported to be recruiters for legitimate companies, Web3 developers, and fictitious organizations. The threat actors likely employed these personas to blend in with normal recruitment and development activities, establishing trust to facilitate malware distribution.Furthermore, our analysis of the deployed malware revealed artifacts suggesting the code was generated using LLMs. This indicates that the threat actors are actively using AI technologies to develop malicious tools more efficiently and complicate reverse engineering efforts.This report examines the threat actors' Github activities and details the operational mechanisms and capabilities of the malware used in these attacks.