{
  "iim_version": "1.1",
  "chain_id": "enki.2026.kimsuky-webex-httpSpy-jsonping",
  "title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
  "description": "ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.",
  "actor_id": "APT43",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_attribution": {
    "actor": "Kimsuky",
    "aliases": [
      "APT43",
      "Velvet Chollima",
      "Emerald Sleet"
    ],
    "attribution_source": "ENKI Whitehat",
    "confidence": "ENKI attributes the activity to Kimsuky based on attack infrastructure, code patterns, RC4 key reuse, and links to previous HttpSpy activity.",
    "caveat": "This chain models only the Webex/HttpSpy lane; JSONPing is included as context."
  },
  "x_source": {
    "title": "Kimsuky’s Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant",
    "publisher": "ENKI Whitehat",
    "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
    "published_at": "2026-05-27",
    "accessed_at": "2026-05-31T19:14:15.240001+00:00",
    "source_type": "original vendor research report",
    "source_policy": "Only ENKI Whitehat original source used."
  },
  "x_source_title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
  "x_source_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
  "x_resource_links_verified": [
    {
      "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified title/date, Kimsuky attribution, fake Webex URL, download URLs, fix-camera.jse, mTSTCv8.mdxm, engine.dat, cacheMon.dat, HttpSpy C2 and JSONPing context."
    }
  ],
  "x_iocs": {
    "urls": [
      "https://conference.birdriver.org/",
      "https://download.birdriver.org/download.php?id=425623",
      "https://download.birdriver.org/download.php?id=393156",
      "http://hdrgdrfes.chickenkiller.com/index.php"
    ],
    "files": [
      "fix-camera.jse",
      "C:\\ProgramData\\mTSTCv8.mdxm",
      "C:\\ProgramData\\meeting.html",
      "engine.dat",
      "spyInster.dll",
      "C:\\Users\\Public\\cacheMon.dat",
      "spyLoader.dll",
      "httpSpy.dll"
    ],
    "rc4_keys": [
      "%^fseRW#r3qwrwfsddREfGEgse)(14);",
      "RGdcsedfd@#%dg9ser3$#$^@34sdfxl ",
      "#RsfsetraW#@EsfesgsgAJOPj4eml;"
    ]
  },
  "x_limitations": [
    "Legitimate Webex meeting URL is not published and not invented.",
    "The March 2026 security-software lane is not merged into this Webex chain.",
    "JSONPing is modeled as contextual associated tradecraft, not as a required Webex-chain edge."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "url",
      "value": "https://conference.birdriver.org/",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states Kimsuky distributed malware through a malicious page impersonating Cisco Webex and gives the fake meeting URL as hxxps://conference.birdriver[.]org/.",
        "ENKI notes the page was crafted based on an actual Webex meeting schedule."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "fake_webex_lure"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "https://download.birdriver.org/download.php?id=425623",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states clicking the fake Webex camera-patch confirmation downloads an ALZip archive from hxxps://download[.]birdriver[.]org/download.php?id=425623."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "archive_download"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "fix-camera.jse",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states the archive contains fix-camera.jse and that executing it ultimately installs an HttpSpy variant.",
        "ENKI says fix-camera.jse drops and executes a base64-encoded payload and decoy HTML file."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "jse_dropper"
    },
    {
      "id": "e004",
      "type": "file",
      "value": "C:\\ProgramData\\meeting.html decoy redirector",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states the malware drops and opens meeting.html, which immediately redirects the victim to a legitimate Webex meeting room. The legitimate room URL is not published."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "decoy_redirect"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states fix-camera.jse drops the final decoded payload to C:\\ProgramData\\mTSTCv8.mdxm and executes it with hidden PowerShell/regsvr32.",
        "ENKI identifies mTSTCv8.mdxm as a downloader with export name loadDll.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "downloader"
    },
    {
      "id": "e006",
      "type": "url",
      "value": "https://download.birdriver.org/download.php?id=393156",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states mTSTCv8.mdxm downloads an additional payload from hxxps://download[.]birdriver[.]org/download.php?id=393156."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "second_stage_download"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "engine.dat / spyInster.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states engine.dat is downloaded by loadDll.dll, has export name spyInster.dll, and installs the final HttpSpy payload."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "installer_payload"
    },
    {
      "id": "e008",
      "type": "file",
      "value": "C:\\Users\\Public\\cacheMon.dat / spyLoader.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states engine.dat drops cacheMon.dat, appends DATA_CONF ADS, registers autorun, and executes it with regsvr32.",
        "ENKI identifies cacheMon.dat as an HttpSpy loader with export name spyLoader.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "loader_payload"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "HttpSpy main module / httpSpy.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states cacheMon.dat decrypts the RC4-encrypted HttpSpy main module, loads it in memory, resolves the hello export, and executes it.",
        "ENKI identifies the final payload as a RAT with export name httpSpy.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "final_rat"
    },
    {
      "id": "e010",
      "type": "url",
      "value": "http://hdrgdrfes.chickenkiller.com/index.php",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI’s extracted HttpSpy configuration lists the primary C&C URL as hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php.",
        "ENKI states HttpSpy receives remote commands via HTTP POST and sends data to the C&C server."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "c2_endpoint"
    },
    {
      "id": "e011",
      "type": "file",
      "value": "JSONPing local infection-verification server on localhost:62001 /ping?callback=...",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI describes JSONPing as fake pages querying a local server created by malware via JSONP.",
        "ENKI states calc.exe spawns a localhost:62001 server returning JSONP from /ping with callback."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "associated_verification_tradecraft",
      "x_modeled_as_context_only": true
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "redirector",
      "techniques": [
        "IIM-T015"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Associated JSONPing context; not terminal Webex C2 path."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Fake Webex page downloads from download.birdriver.org/download.php?id=425623."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Downloaded ALZip archive contains fix-camera.jse."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "fix-camera.jse drops meeting.html decoy."
      ]
    },
    {
      "from": "e004",
      "to": "e001",
      "type": "redirect",
      "sequence_order": 4,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "meeting.html redirects to a legitimate Webex room; exact legitimate URL not published."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "drops",
      "sequence_order": 5,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "fix-camera.jse decodes and drops mTSTCv8.mdxm."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "execute",
      "sequence_order": 6,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "mTSTCv8.mdxm executed via hidden PowerShell/regsvr32."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "download",
      "sequence_order": 7,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "mTSTCv8.mdxm downloads from download.birdriver.org/download.php?id=393156."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 8,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat/spyInster.dll identified as downloaded payload."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 9,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat drops cacheMon.dat and configuration ADS."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "execute",
      "sequence_order": 10,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat executes cacheMon.dat using regsvr32."
      ]
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "cacheMon.dat decrypts, loads and executes HttpSpy main module."
      ]
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "HttpSpy primary C2 is hdrgdrfes.chickenkiller.com/index.php and commands are via HTTP POST."
      ]
    },
    {
      "from": "e011",
      "to": "e001",
      "type": "references",
      "sequence_order": 13,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "JSONPing is associated fake-page verification tradecraft; contextual relation only."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Phishing: Spearphishing Link",
      "tactic": "Initial Access",
      "comment": "Fake Webex social-engineering page."
    },
    {
      "technique_id": "T1059.007",
      "name": "Command and Scripting Interpreter: JavaScript",
      "tactic": "Execution",
      "comment": "fix-camera.jse staged payload."
    },
    {
      "technique_id": "T1218.010",
      "name": "System Binary Proxy Execution: Regsvr32",
      "tactic": "Defense Evasion",
      "comment": "Payload stages executed via regsvr32."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "HttpSpy C2 over HTTP POST."
    }
  ]
}