Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Kimsuky used social-engineering pages disguised as security software installers and fake Webex meeting portals to deliver a multi-stage HttpSpy RAT infection chain. The campaign introduced a JSONP-based victim validation method called JSONPing and separated the malware into three components: an installer, a loader, and a final main module. Investigators also identified shared RC4 keys, reuse of XAMPP certificates, and infrastructure overlaps with earlier Kimsuky activity.
Investigation
Researchers analyzed the fraudulent installation pages, collected the dropper binaries, extracted the embedded RC4 keys, and rebuilt the three-stage execution flow from nos-setup.exe and astx-setup.exe through MemLoader.dll, engine.dat, and cacheMon.dat to the final HttpSpy payload. Network analysis also revealed GET requests to local ports as well as external command-and-control URLs used during execution.
Mitigation
Organizations should block the identified suspicious domains and IP addresses, restrict execution of script files from untrusted sources, and monitor for abuse of regsvr32 and suspicious scheduled task creation. Code-signing validation should be enforced for downloaded binaries. Users should also verify Webex meeting links before opening them, and defenders should use TLS inspection where appropriate to help detect JSONPing-related traffic.
Response
Security teams should detect the presence of the listed binaries, registry Run keys, scheduled tasks, and network indicators associated with the campaign. Any affected endpoints should be quarantined immediately, compromised code-signing certificates should be revoked, and forensic analysis should be performed to identify payloads, persistence methods, and any additional follow-on activity.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Regsvr32 Executing Payload In Suspicious Locations (via cmdline)
View
Using Certutil for Data Encoding and Cert Operations (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
IOCs (HashSha256) to detect: Kimsuky Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
View
IOCs (HashMd5) to detect: Kimsuky Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant Part 2
View
IOCs (HashMd5) to detect: Kimsuky Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant Part 1
View
IOCs (SourceIP) to detect: Kimsuky Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
View
IOCs (DestinationIP) to detect: Kimsuky Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
View
Detection of HttpSpy Variant C&C Communication [Windows Network Connection]
View
Suspicious Execution of Regsvr32 and PowerShell for Malicious DLL Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary has obtained a custom DLL (mTSTCv8.mdxm) that contains a reflective loader for a second‑stage payload. To avoid interactive execution, the attacker crafts a PowerShell one‑liner that runsregsvr32.exewith the/ssilent flag while hiding the PowerShell console (-WindowStyle Hidden). The DLL resides inC:ProgramDatato blend with legitimate application data. Execution steps:- Copy the malicious DLL to
C:ProgramDatamTSTCv8.mdxm. - Launch PowerShell (hidden) that runs
regsvr32.exe /s C:ProgramDatamTSTCv8.mdxm. - The hidden PowerShell process spawns
regsvr32.exe, which loads the DLL into its own process space, thereby achieving code execution with a trusted binary.
- Copy the malicious DLL to
-
Regression Test Script:
# ============================== # Regression Test: Regsvr32 via PowerShell (Evil DLL) # ============================== # 1. Deploy the malicious DLL (simulated with a known benign DLL for safety) $dllPath = "C:ProgramDatamTSTCv8.mdxm" Copy-Item -Path "$env:SystemRootSystem32windows.storage.dll" -Destination $dllPath -Force # 2. Execute the PowerShell hidden launch that the Sigma rule looks for $psCommand = "powershell.exe -WindowStyle Hidden regsvr32.exe /s `"$dllPath`"" Start-Process -FilePath "powershell.exe" -ArgumentList "-WindowStyle Hidden", "regsvr32.exe", "/s", "`"$dllPath`"" -NoNewWindow # Optional: Wait a few seconds for the process to appear in logs Start-Sleep -Seconds 5 # 3. Emit a marker event to the console for test validation Write-Host "[*] Regsvr32 execution launched via hidden PowerShell." -
Cleanup Commands:
# Remove the simulated malicious DLL Remove-Item -Path "C:ProgramDatamTSTCv8.mdxm" -Force -ErrorAction SilentlyContinue # Close any lingering regsvr32.exe processes (if any) Get-Process -Name regsvr32 -ErrorAction SilentlyContinue | Stop-Process -Force Write-Host "[*] Cleanup completed."