httpMalice
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueKimsuky obtains initial access to target systems by delivering spear-phishing emails containing malicious attachments disguised as documents.
Execution
4 techniquesHTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
The malicious payload leverages powershell.exe -windowstyle hidden certutil -decode [src path] [dst path] for the second Base64 decoding before execution.
HttpMalice, the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system, set up persistence, perform reconnaissance using native Windows commands.
Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments.
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
4 techniquesReger Dropper (.SCR) and Pidoc Dropper (.PIF) also contain benign lure files and malicious payloads that, in both cases, are encrypted using XOR operations... Pidoc Dropper is fully obfuscated using dummy data and encrypted strings.
These attachments often consist of compressed files containing droppers in formats such as .JSE, .EXE, .PIF, or .SCR. The filenames are consistent with the message content and are meant to convince the recipient to open the attachment.
Ultimately, the malicious payload is executed via command-line instructions such as ... rundll32.exe [file path] [export function] .
HttpMalice, the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system, set up persistence, perform reconnaissance using native Windows commands, capture screenshots, load downloaded payloads into memory, run commands, and exfiltrate the execution output.
Discovery
1 techniqueHttpMalice, the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system.
Collection
2 techniquesHTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
Upload a directory to the C2 server after it has been archived
Command and Control
3 techniquesThe implant communicates with the C2 server ... over the HTTP protocol.
version 1.8 uses Dropbox. The latter, the older variant, leverages the Dropbox API by utilizing pre-defined application credentials.
The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
Exfiltration
1 techniqueHttpMalice, the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system, set up persistence, perform reconnaissance using native Windows commands, capture screenshots, load downloaded payloads into memory, run commands, and exfiltrate the execution output.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
New malware family deployed by Kimsuky as part of its evolving intrusion toolkit.
A PebbleDash backdoor variant that performs host reconnaissance, persistence, screenshot capture, in-memory payload loading, command execution, and exfiltration of command output.
A PebbleDash-based backdoor with HTTP/HTTPS and older Dropbox-based variants. It profiles hosts, persists via a Windows service or Run key, sends screenshots and status beacons, receives commands from C2, and can execute commands, transfer files, archive directories, hibernate, remove itself, and load payloads into memory.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.