httpSpy
HTTPSpy is a remote access trojan associated with the DPRK-linked threat actor Kimsuky, also tracked as Velvet Chollima. Reporting in the provided content links it to cyber espionage campaigns targeting South Korean military and corporate organizations in 2026, with additional reporting noting likely targeting of a German defense manufacturer between May and September 2024. Delivery relied on social engineering, including spoofed security software installation pages and counterfeit Cisco Webex meeting pages. In observed chains, victims were tricked into downloading malicious executables or an encrypted JavaScript file, which led to staged deployment through components including MemLoader.dll or loadDll.dll, intermediate downloaders such as mTSTCv8.mdxm, payloads such as engine.dat or spyInster.dll, and a loader component named cacheMon.dat that executed HTTPSpy. The malware family has evolved from a single binary to a three-stage architecture consisting of an installer, loader, and in-memory RAT. Reported persistence mechanisms include a Windows service named CacheDB, and related campaigns also used scheduled tasks in earlier stages. HTTPSpy communicates with command-and-control infrastructure over HTTP/HTTPS, including HTTP POST with custom command parameters, and protects outbound data with RC4 encryption. Its documented capabilities include executing shell commands, uploading and downloading files, executing processes, capturing screenshots, injecting DLL paths into specified PID processes, manipulating local documents, and deleting or erasing itself from the endpoint. The loader stages perform anti-analysis checks for VMware and VirtualBox, generate hardware identifiers, and retrieve payloads from external servers if no analysis environment is detected. The content also notes attribution support through infrastructure overlaps such as repeated use of a default XAMPP certificate and a narrow set of autonomous system numbers associated with Kimsuky servers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Specifically, the notorious Kimsuky HttpSpy malware campaign aggressively targets South Korean military and corporate organizations. In contrast to historical models, the current Kimsuky HttpSpy malware campaign adopts a complex three-stage architecture.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThis indicates that the attacker likely compromised a service member's device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees.
After five seconds, a fake update warning prompts users to deploy a malicious camera script.
Kimsuky ... utilized spoofed security software installation pages and fake Webex meeting invitations to deliver malware.
Execution
4 techniquesThe DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
For instance, operators can execute shell commands, take system screenshots, or manipulate local documents remotely.
The execution of the JSE file results in the deployment of an intermediate downloader ("mTSTCv8.mdxm") using PowerShell, which then runs anti-analysis checks and contacts a C2 server to fetch the next-stage malware.
a counterfeit Cisco Webex page tricked victims into downloading an encrypted JavaScript file, leading to the deployment of the HTTPSpy RAT.
Persistence
2 techniquesThe DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
Privilege Escalation
3 techniquesThe DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
Stealth
8 techniquesA variant of the HTTPSpy remote access trojan was disguised as legitimate security software installers ... malicious payloads were distributed through a fake webpage impersonating a B2B messaging service's security software installer.
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
The primary responsibility of the binaries is to launch a second-stage DLL payload ("MemLoader.dll") via "regsvr32.exe," after which a batch script is run to delete themselves from disk.
This indicates that the attacker likely compromised a service member's device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees.
The primary responsibility of the binaries is to launch a second-stage DLL payload ("MemLoader.dll") via "regsvr32.exe," after which a batch script is run to delete themselves from disk.
Discovery
2 techniquesCollection
1 techniqueFor instance, operators can execute shell commands, take system screenshots, or manipulate local documents remotely.
Command and Control
3 techniquesThe DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
Once active, the main module leverages a wide range of custom command parameters via HTTP POST protocols.
If the environment is safe, it communicates with external servers to pull down the primary implant.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Kimsuky-associated remote access trojan used in cyber espionage campaigns. The described variant uses a three-stage chain consisting of an installer, a stealth loader, and the core RAT module. It performs environment checks, downloads the primary implant, executes shell commands, captures screenshots, manipulates local documents remotely, and communicates over HTTP POST with RC4-encrypted data transmission.
Remote access trojan used by Kimsuky, delivered via spoofed security software installers and fake Webex pages to provide covert access to victim systems.
A full-featured remote access trojan used by Kimsuky that provides remote command execution, file transfer, process execution, screenshot capture, DLL injection into specified processes, and self-deletion capabilities.
The content references a new variant of HttpSpy in the context of advanced Kimsuky attack techniques. No further behavioral details are provided in the content itself.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.