KIMSUKY , a Korean-speaking threat actor, has expanded its PebbleDash and AppleSeed toolset in a string of campaigns, with PebbleDash variants such as HelloDoor, httpMalice and MemLoad, and AppleSeed variants including HappyDoor. The group delivers spear-phishing attachments and, in some cases, contacts targets by messenger, using droppers in formats like JSE, PIF, SCR and EXE to install backdoors and harvest data.
HelloDoor, a Rust-based PebbleDash backdoor identified in 2025, communicates with a C2 hosted via TryCloudflare and registers itself for persistence, while httpMalice and MemLoad represent newer backdoor and memory-resident payloads that employ RC4 obfuscation and various C2 schemes.
Post-exploitation activity leverages legitimate tools such as Visual Studio Code, including VSCode Tunneling and a Go-written VSCode installer, alongside DWAgent for remote access, with DWAgent deployed through both a dropper chain and a dedicated installer.
The actors host C2 infrastructure using South Korean free-domain hosting services and sporadically hijack South Korean sites or tunnel traffic via Ngrok, Cloudflare Quick Tunnels or VSCode Tunneling, enabling ongoing command and control across multiple targets in South Korea and beyond.
Overall, the analysis suggests the two clusters—PebbleDash and AppleSeed—share technical links and are likely controlled by the same actor, with AppleSeed more often targeting government entities and PebbleDash showing broader defense-sector interests.