4.1. Fake Webex Meeting Page

In April 2026, we identified a case where Kimsuky distributed malware through a malicious page impersonating Webex, Cisco's online meeting service. Notably, the fake meeting page was crafted based on an actual Webex meeting schedule, suggesting that the attacker had previously compromised a attendee’s account or device to obtain the schedule. Rendering the HTML code retrieved from the URL below displays a loading UI over a blurred meeting entry page background.

• URL: hxxps://conference.birdriver[.]org/

caption - Fake meeting entry page

Five seconds after the page loads, the fake meeting page displays a dialog box instructing the user to install and run a camera patch script, and prompts them to click the confirm button. Clicking the button downloads an ALZip archive containing a jse file. The URL endpoint and parameter structure are identical to those used in the fake installation page from the security software spoofing case.

• URL: hxxps://download.birdriver[.]org/download.php?id=425623

caption - Malware download dialog box

Executing the downloaded jse file ultimately installs an HttpSpy variant on the system. The malware also drops and opens meeting.html, which immediately redirects the victim to a Webex meeting room.

Accessing the redirect URL opens a legitimate Webex meeting room. We confirmed that the meeting was a legitimate scheduled event around the time of the malware distribution. This indicates that the attacker likely compromised an service member's device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees.

caption - Legitimate Webex meeting entry page

4.2. jse Dropper and Downloader

4.2.1. fix-camera.jse

fix-camera.jse drops and executes a base64-encoded malware payload and a decoy HTML file to C:\ProgramData\mTSTCv8.mdxm and C:\ProgramData\meeting.html, respectively. The jse script employs several obfuscation techniques, including assigning base64-encoded data to junk variables and slicing strings to reassemble them with "+" concatenation.

caption - Obfuscated jse script

The malware is double base64-encoded. The script first decodes it and drops the result to C:\ProgramData\mTXDZew.sz8f, then uses certutil to perform a second decode and saves the final payload to C:\ProgramData\mTSTCv8.mdxm. mTSTCv8.mdxm is executed via the following command.

• powershell.exe -windowstyle hidden regsvr32.exe /s C:\ProgramData\mTSTCv8.mdxm

4.2.2. mTSTCv8.mdxm (loadDll.dll)

mTSTCv8.mdxm is a downloader that retrieves a second-stage payload from the C&C server. Its export name is loadDll.dll, and it contains the following PDB path.

• PDB Path: C:\Users\jira\Documents\My_Received_Files\loadDll\x64\Release\loadDll.pdb

Upon execution, the malware checks for VM environments and analysis tools, terminating the process if either is found. The VM detection routine reads the following two registry values and checks for the strings "VMware" and "VirtualBox".

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName

For analysis tool detection, the malware enumerates all running processes and open window titles, checking them against a hardcoded list of strings. The full list of detection targets can be found in Appendix D, "Analysis tool detection list" Finally, it downloads an additional payload from the URL below, loads it into the current process memory, resolves the address of the Play export function, and executes it.

• URL : hxxps://download[.]birdriver[.]org/download.php?id=393156

caption - Malware download and execution routine

The downloaded payload goes through a three-stage installation process that ultimately installs an HttpSpy variant on the victim's system.

4.3. HttpSpy Variant Execution Flow

4.3.1. engine.dat (spyInster.dll)

engine.dat is the payload downloaded by loadDll.dll, with the export name spyInster.dll. As the export name suggests, its role is to install the final payload, HttpSpy, on the victim's system.

engine.dat employs two types of string obfuscation. Wide character (wchar) strings are decoded by subtracting a fixed offset from each character, while regular strings are XORed with a key that incorporates the position index. engine.dat dynamically restores obfuscated API names, hashes them with FNV-1a, and compares the results against the export table entries of loaded modules to resolve function pointers.

caption - wchar string obfuscation routine

caption - Regular string obfuscation routine

engine.dat decrypts an embedded RC4-encrypted payload and drops it to C:\Users\Public\cacheMon.dat. It then RC4-decrypts the configuration data and appends it to cacheMon.dat as a DATA_CONF alternate data stream (ADS). The RC4 keys used to decrypt cacheMon.dat and the ADS configuration file are as follows.

• cacheMon.dat decryption RC4 key: %^fseRW#r3qwrwfsddREfGEgse)(14);

• ADS decryption RC4 key: RGdcsedfd@#%dg9ser3$#$^@34sdfxl

Just before appending the configuration file, the malware patches a 32-bit value computed by rand() * rand() / 2 into offset 0x1228 of the config data. This value is later used by the HttpSpy main module as a victim identifier. Finally, the malware registers an autorun command in the registry and directly executes C:\Users\Public\cacheMon.dat using regsvr32.exe. The registered registry value and data are as follows.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateInstaller = C:\Windows\System32\regsvr32.exe /s C:\Users\Public\cacheMon.dat

4.3.2. cacheMon.dat (spyLoader.dll)

cacheMon.dat, dropped by engine.dat, is an HttpSpy loader with the export name spyLoader.dll. It decrypts the RC4-encrypted HttpSpy main module, loads it into the current process memory, resolves the address of the hello export function, and executes it. The RC4 decryption key is as follows.

• RC4 Key: #RsfsetraW#@EsfesgsgAJOPj4eml;

caption - Final payload loading routine

4.3.3. HttpSpy Main Module

The final payload is a RAT with the export name httpSpy.dll. It shares the same export name as the final payload used in the May 2025 CJ Olivenetworks certificate abuse attack, and its C&C communication protocol and remote command structure are highly similar. The compilation timestamp is recorded as October 15, 2025, suggesting the malware may have been in use since the latter half of 2025.

In its main loop, the malware loads the C&C server URL from the configuration data previously appended to cacheMon.dat as an ADS, and receives remote commands via HTTP POST. If a proxy address is set at offset +0x410 (1040) in the configuration file, communication is routed through that proxy, with 2[.]2[.]2[.]2 used as the proxy bypass address. The configuration data extracted from the analyzed sample is shown in the table below.

| Offset | Size | Purpose | Initial Value |
| --- | --- | --- | --- |
| +0 | 520 | Primary C&C URL (wide string) | hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php |
| +520 | 520 | Secondary C&C URL (wide string) | (Empty) |
| +1040 | 520 | Proxy Address (wide string) | (Empty) |
| +1560 | 520 | HTTP Auth Username (wide string) | (Empty) |
| +2080 | 520 | HTTP Auth Password (wide string) | (Empty) |
| +2600 | 2048 | Unused Space |  |
| +4648 | 4 | Session ID (DWORD) | rand()*rand()/2

| Offset | Size | Purpose | Initial Value |
| --- | --- | --- | --- |
| +0 | 520 | Primary C&C URL (wide string) | hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php |
| +520 | 520 | Secondary C&C URL (wide string) | (Empty) |
| +1040 | 520 | Proxy Address (wide string) | (Empty) |
| +1560 | 520 | HTTP Auth Username (wide string) | (Empty) |
| +2080 | 520 | HTTP Auth Password (wide string) | (Empty) |
| +2600 | 2048 | Unused Space |  |
| +4648 | 4 | Session ID (DWORD) | rand()*rand()/2

| Offset | Size | Purpose | Initial Value |
| --- | --- | --- | --- |
| +0 | 520 | Primary C&C URL (wide string) | hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php |
| +520 | 520 | Secondary C&C URL (wide string) | (Empty) |
| +1040 | 520 | Proxy Address (wide string) | (Empty) |
| +1560 | 520 | HTTP Auth Username (wide string) | (Empty) |
| +2080 | 520 | HTTP Auth Password (wide string) | (Empty) |
| +2600 | 2048 | Unused Space |  |
| +4648 | 4 | Session ID (DWORD) | rand()*rand()/2

caption - HttpSpy configuration data structure

The parameters and values used in C&C server communication are shown in the table below.

| Parameter | Value |
| --- | --- |
| _sessionchk | ck_param_auto |
| _logininfo | login_ok for receiving commands / login_fail for sending data |
| _pkgparam | Session ID (8-digit HEX) |
| _lockdata | Encrypted and base64-encoded data

| Parameter | Value |
| --- | --- |
| _sessionchk | ck_param_auto |
| _logininfo | login_ok for receiving commands / login_fail for sending data |
| _pkgparam | Session ID (8-digit HEX) |
| _lockdata | Encrypted and base64-encoded data

| Parameter | Value |
| --- | --- |
| _sessionchk | ck_param_auto |
| _logininfo | login_ok for receiving commands / login_fail for sending data |
| _pkgparam | Session ID (8-digit HEX) |
| _lockdata | Encrypted and base64-encoded data

caption - HttpSpy C&C communication parameters

All data sent and received during communication is encrypted with the following RC4 key and then base64-encoded.

• RC4 Key: RGdcsedfd@#%dg9ser3$#$^@34sdfxl

The supported command codes and their actions are shown in the table below.

| Command Code | Action |
| --- | --- |
| d | Execute a shell command, convert ANSI output to Unicode, and send to C&C server |
| e  | Download a file from the C&C server |
| f | Upload a specified file to the C&C server in 384KB chunks |
| g  | Execute a specified command in a hidden window via CreateProcessW |
| h | Execute a process in a specified WTS session |
| i | Overwrite a specified file with the 0x5F pattern, rename it to random lowercase characters, and delete it |
| j | Capture a full-screen BMP via GDI and upload to C&C server |
| k | Send the internal configuration buffer to the C&C server |
| l | Receive new configuration data from the C&C server and update the ADS |
| m | Perform a TCP connect test to a specified IP:Port |
| n | Sleep for a specified duration (in hours) |
| o | Copy the timestamp from a source file to a target file |
| p | Delete itself, remove persistence entries, and terminate (uninstall) |
| q | No operation |
| r | Execute a shell command and send raw binary output to C&C server |
| s | Inject a DLL path into a specified PID process (Remote DLL Injection)

| Command Code | Action |
| --- | --- |
| d | Execute a shell command, convert ANSI output to Unicode, and send to C&C server |
| e  | Download a file from the C&C server |
| f | Upload a specified file to the C&C server in 384KB chunks |
| g  | Execute a specified command in a hidden window via CreateProcessW |
| h | Execute a process in a specified WTS session |
| i | Overwrite a specified file with the 0x5F pattern, rename it to random lowercase characters, and delete it |
| j | Capture a full-screen BMP via GDI and upload to C&C server |
| k | Send the internal configuration buffer to the C&C server |
| l | Receive new configuration data from the C&C server and update the ADS |
| m | Perform a TCP connect test to a specified IP:Port |
| n | Sleep for a specified duration (in hours) |
| o | Copy the timestamp from a source file to a target file |
| p | Delete itself, remove persistence entries, and terminate (uninstall) |
| q | No operation |
| r | Execute a shell command and send raw binary output to C&C server |
| s | Inject a DLL path into a specified PID process (Remote DLL Injection)

| Command Code | Action |
| --- | --- |
| d | Execute a shell command, convert ANSI output to Unicode, and send to C&C server |
| e  | Download a file from the C&C server |
| f | Upload a specified file to the C&C server in 384KB chunks |
| g  | Execute a specified command in a hidden window via CreateProcessW |
| h | Execute a process in a specified WTS session |
| i | Overwrite a specified file with the 0x5F pattern, rename it to random lowercase characters, and delete it |
| j | Capture a full-screen BMP via GDI and upload to C&C server |
| k | Send the internal configuration buffer to the C&C server |
| l | Receive new configuration data from the C&C server and update the ADS |
| m | Perform a TCP connect test to a specified IP:Port |
| n | Sleep for a specified duration (in hours) |
| o | Copy the timestamp from a source file to a target file |
| p | Delete itself, remove persistence entries, and terminate (uninstall) |
| q | No operation |
| r | Execute a shell command and send raw binary output to C&C server |
| s | Inject a DLL path into a specified PID process (Remote DLL Injection)

caption - HttpSpy remote command codes

For command codes d and r, if the argument starts with cd, the malware changes the working directory using SetCurrentDirectoryW and sends the updated path to the C&C server. For all other commands, it executes them via cmd.exe /c, redirects standard output to a temporary file matching %TEMP%\NK[0-9a-fA-F]+\.tmp, collects the output, and sends it to the C&C server.

caption - Command processing routine

BMP data captured by command code j is saved to a temporary file matching %TEMP%JG[0-9a-fA-F]{4}\.tmp, uploaded to the C&C server, and deleted after the upload completes.

caption - Screenshot routine

4.4. Additional Security Software Spoofing Pages

Two new variants of security software installation spoofing HTML files were found on the same C&C server as the fake meeting page. Both pages periodically poll the C&C server and, depending on the response value, perform one of three actions: generate a personal information input form, insert a tracking pixel, or redirect the victim. Details of each HTML file are shown in the table below.

| **File Name** | 보안 검사.html | 보안프로그램 확인.html |
| --- | --- | --- |
| MD5 | be978477fe7c179cb9607a6e08a05dff | 8833a270ddef0f464d5916958b6778e6 |
| Masqueraded Org | National Health Insurance Service | DB Insurance |
| Identifier | gateless | gateless |
| User-Agent Mobile Detection | O | X |
| Polling Interval | 3 seconds | 5 seconds |
| Polling URL | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless |
| Tracking Pixel URL | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png |
| Functionality | Tracking pixel insertion
Victim redirection | Malware distribution
Check malware execution status
Tracking pixel insertion |
| Malware Download URL | N/A | hxxps://pipeline[.]embeddedonline[.]org/download3.php?sessid=54126&user-token=gateless |

| **File Name** | 보안 검사.html | 보안프로그램 확인.html |
| --- | --- | --- |
| MD5 | be978477fe7c179cb9607a6e08a05dff | 8833a270ddef0f464d5916958b6778e6 |
| Masqueraded Org | National Health Insurance Service | DB Insurance |
| Identifier | gateless | gateless |
| User-Agent Mobile Detection | O | X |
| Polling Interval | 3 seconds | 5 seconds |
| Polling URL | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless |
| Tracking Pixel URL | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png |
| Functionality | Tracking pixel insertion
Victim redirection | Malware distribution
Check malware execution status
Tracking pixel insertion |
| Malware Download URL | N/A | hxxps://pipeline[.]embeddedonline[.]org/download3.php?sessid=54126&user-token=gateless |

| **File Name** | 보안 검사.html | 보안프로그램 확인.html |
| --- | --- | --- |
| MD5 | be978477fe7c179cb9607a6e08a05dff | 8833a270ddef0f464d5916958b6778e6 |
| Masqueraded Org | National Health Insurance Service | DB Insurance |
| Identifier | gateless | gateless |
| User-Agent Mobile Detection | O | X |
| Polling Interval | 3 seconds | 5 seconds |
| Polling URL | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless | hxxps://pipeline[.]embeddedonline[.]org/check.php?x-csrf-token=gateless |
| Tracking Pixel URL | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png | hxxps://appview[.]imagetemplate[.]com/gateless_icon<Counter>.png |
| Functionality | Tracking pixel insertion
Victim redirection | Malware distribution
Check malware execution status
Tracking pixel insertion |
| Malware Download URL | N/A | hxxps://pipeline[.]embeddedonline[.]org/download3.php?sessid=54126&user-token=gateless |

caption - Additional security software spoofing page comparison

Both HTML files display a loading screen with the message "보안프로그램 검사 중"("Checking security software") upon access.

caption - New security software check spoofing page 1

caption - New security software check spoofing page 2

보안프로그램 확인.html communicates with a local server via JSONP to verify malware execution status. The page registers a unique global callback function in the format "vp20_" + Date.now() on the window object, then injects a <script> tag into the DOM that sends a request to localhost:16106 with this function as the callback parameter.

caption - Callback registration routine

Since browsers do not enforce the Same-Origin Policy (SOP) on <script> tags, the GET request reaches the local server set up by the malware. When the response executes as a script, the pre-registered callback is invoked and inspects theres value of the returned object. A value of 0 indicates that the malware is running. We have dubbed this technique "JSONPing."

caption - JSONPing request routine

If the JSONPing check determines that the malware is not running, the page displays an installation prompt. When the victim clicks the confirm button, the downloadProgram function is called to trigger a malware download. However, the malware download URL was inactive at the time of analysis, so the subsequent attack chain could not be recovered.

caption - Security software installation dialog box