CTI-2026-0526-KIMSUKY-PEBBLEDASH
Kimsuky (APT43) — Analysis of the New PebbleDash · AppleSeed Toolset
First Rust-based backdoor, abuse of VSCode · Cloudflare tunneling, and traces of LLM-generated code
Field
Value
CTI-2026-0526-KIMSUKY-PEBBLEDASH Kimsuky (APT43) — Analysis of the New PebbleDash ·...
CTI-2026-0526-KIMSUKY-PEBBLEDASH
Kimsuky (APT43) — Analysis of the New PebbleDash · AppleSeed Toolset
First Rust-based backdoor, abuse of VSCode · Cloudflare tunneling, and traces of LLM-generated code
Field
Value

Kimsuky used fake security tools and Webex pages in March-April 2026 to deploy HTTPSpy, enabling persistent espionage and data…

New IElevator2 COM interface? No problem

VerdantBamboo used BRICKSTORM, PLENET, and AGENTPSD after an 18-month breach, enabling stealthy Linux appliance access.

Sapphire Sleet (North Korean APT) compromised 140+ Mastra npm packages via postinstall hook to steal AI API keys and cloud…

Project Ire examined a timely malware sample and determined its intent through reverse engineering—identifying LOTUSLITE…

A 700-repo npm supply-chain campaign drops /tmp/.sshd and bolts a fake "Dependency Cache Sync" step into your GitHub Actions.…