North Korean Hackers Shift Tactics: Kimsuky Adopts Lazarus Group Tools in New Campaign
Breaking — The North Korean threat actor Kimsuky has dramatically expanded its cyber arsenal by adopting tools originally used by the Lazarus Group, signaling a significant tactical shift in ongoing campaigns targeting South Korea, Brazil, and Germany, according to new research.
Over the past several months, cybersecurity analysts have observed Kimsuky using malware variants based on the PebbleDash platform — a toolset historically associated with Lazarus but appropriated by Kimsuky since at least 2021. The group now leverages legitimate tools such as Visual Studio Code tunneling, Cloudflare Quick Tunnels, the open-source DWAgent remote monitoring tool, and even large language models (LLMs).
“Kimsuky is evolving faster than we’ve seen before,” said a senior analyst at Kaspersky, which first identified the group in 2013. “Their integration of Lazarus infrastructure and new technologies like Rust programming shows a deliberate effort to increase stealth and persistence.”
The Campaigns
The attacks begin with spear-phishing emails containing malicious attachments disguised as documents. In some cases, the group contacts victims via instant messengers. Once a target opens the attachment, a variety of droppers (in JSE, PIF, SCR, EXE formats) deliver malware from two main clusters: PebbleDash and AppleSeed.
Specific PebbleDash malware observed includes HelloDoor, httpMalice, MemLoad, and httpTroy. From the AppleSeed cluster, researchers found AppleSeed and HappyDoor. These are considered the group’s most technically advanced tools.
“The use of VSCode’s legitimate tunneling feature for persistence is particularly worrying,” added the analyst. “It allows Kimsuky to blend in with normal development traffic.”
VSCode and DWAgent Tactics
Kimsuky establishes remote access by exploiting VSCode tunneling, authenticating through GitHub accounts. For post-exploitation, it deploys DWAgent, an open-source remote monitoring and management tool. These activities have affected various public and private entities in South Korea.
Command & Control Infrastructure
The group hosts its command-and-control infrastructure primarily on domains registered through a free South Korean hosting provider. It also uses hacked South Korean websites and tunneling services like Ngrok or VSCode tunnels to conceal communications.
Target Scope
- Primary focus: South Korean entities, especially the defense sector.
- Secondary targets: Government organizations hit by AppleSeed malware.
- International expansion: PebbleDash attacks were also detected in Brazil and Germany.
Background
First identified by Kaspersky in 2013, Kimsuky has been active for over a decade. Historically considered less technically proficient than other North Korean APT groups, it has nonetheless demonstrated skill in crafting tailored spear-phishing emails and maintaining a proprietary malware arsenal.
This latest shift — borrowing from the Lazarus Group’s playbook — marks a notable escalation. “Kimsuky is now operating with an expanded toolbox that includes off-the-shelf and custom malware, making detection harder,” the Kaspersky analyst explained.
What This Means
The adoption of Lazarus-style tools and modern technologies suggests Kimsuky is closing the capability gap with other advanced persistent threats. Organizations in the defense and government sectors, particularly in South Korea, must reassess their defenses against sophisticated spear-phishing and tunneling-based intrusions.
Cybersecurity teams should monitor for unusual VSCode tunneling activity, especially when paired with GitHub authentication. The use of large language models hints at possible AI-assisted social engineering in future campaigns, demanding vigilance against increasingly convincing phishing lures.
“This is not just a one-off adaptation,” the analyst warned. “It signals a long-term strategic evolution that will likely continue.”