← feed

enki.2026.kimsuky-webex-httpSpy-jsonping

Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2

ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2

confirmed IIM v1.1 APT43
Raw JSON
entities11
relations13
techniques2
published2026-05-31 19:22:26

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

url

https://conference.birdriver.org/

2
staging

url

https://download.birdriver.org/download.php?id=425623

IIM-T024
3
staging

file

fix-camera.jse

4
redirector

file

C:\ProgramData\meeting.html decoy redirector

IIM-T015
5
staging

file

C:\ProgramData\mTSTCv8.mdxm / loadDll.dll

6
staging

url

https://download.birdriver.org/download.php?id=393156

7
payload

file

engine.dat / spyInster.dll

8
payload

file

C:\Users\Public\cacheMon.dat / spyLoader.dll

9
payload

file

HttpSpy main module / httpSpy.dll

10
c2

url

http://hdrgdrfes.chickenkiller.com/index.php

11
staging

file

JSONPing local infection-verification server on localhost:62001 /ping?callback=...

Relations

directed infrastructure edges
e001downloade002 confirmed
e002dropse003 confirmed
e003dropse004 confirmed
e004redirecte001 confirmed
e003dropse005 confirmed
e003executee005 confirmed
e005downloade006 confirmed
e006dropse007 confirmed
e007dropse008 confirmed
e007executee008 confirmed
e008executee009 confirmed
e009connecte010 confirmed
e011referencese001 tentative

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 url https://conference.birdriver.org/
ENKI states Kimsuky distributed malware through a malicious page impersonating Cisco Webex and gives the fake meeting URL as hxxps://conference.birdriver[.]org/.
ENKI notes the page was crafted based on an actual Webex meeting schedule.
e002 url https://download.birdriver.org/download.php?id=425623
ENKI states clicking the fake Webex camera-patch confirmation downloads an ALZip archive from hxxps://download[.]birdriver[.]org/download.php?id=425623.
e003 file fix-camera.jse
ENKI states the archive contains fix-camera.jse and that executing it ultimately installs an HttpSpy variant.
ENKI says fix-camera.jse drops and executes a base64-encoded payload and decoy HTML file.
e004 file C:\ProgramData\meeting.html decoy redirector
ENKI states the malware drops and opens meeting.html, which immediately redirects the victim to a legitimate Webex meeting room. The legitimate room URL is not published.
e005 file C:\ProgramData\mTSTCv8.mdxm / loadDll.dll
ENKI states fix-camera.jse drops the final decoded payload to C:\ProgramData\mTSTCv8.mdxm and executes it with hidden PowerShell/regsvr32.
ENKI identifies mTSTCv8.mdxm as a downloader with export name loadDll.dll.
e006 url https://download.birdriver.org/download.php?id=393156
ENKI states mTSTCv8.mdxm downloads an additional payload from hxxps://download[.]birdriver[.]org/download.php?id=393156.
e007 file engine.dat / spyInster.dll
ENKI states engine.dat is downloaded by loadDll.dll, has export name spyInster.dll, and installs the final HttpSpy payload.
e008 file C:\Users\Public\cacheMon.dat / spyLoader.dll
ENKI states engine.dat drops cacheMon.dat, appends DATA_CONF ADS, registers autorun, and executes it with regsvr32.
ENKI identifies cacheMon.dat as an HttpSpy loader with export name spyLoader.dll.
e009 file HttpSpy main module / httpSpy.dll
ENKI states cacheMon.dat decrypts the RC4-encrypted HttpSpy main module, loads it in memory, resolves the hello export, and executes it.
ENKI identifies the final payload as a RAT with export name httpSpy.dll.
e010 url http://hdrgdrfes.chickenkiller.com/index.php
ENKI’s extracted HttpSpy configuration lists the primary C&C URL as hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php.
ENKI states HttpSpy receives remote commands via HTTP POST and sends data to the C&C server.
e011 file JSONPing local infection-verification server on localhost:62001 /ping?callback=...
ENKI describes JSONPing as fake pages querying a local server created by malware via JSONP.
ENKI states calc.exe spawns a localhost:62001 server returning JSONP from /ping with callback.

ATT&CK annotations

optional complementary mapping
T1566.002Phishing: Spearphishing Link

Fake Webex social-engineering page.

T1059.007Command and Scripting Interpreter: JavaScript

fix-camera.jse staged payload.

T1218.010System Binary Proxy Execution: Regsvr32

Payload stages executed via regsvr32.

T1071.001Application Layer Protocol: Web Protocols

HttpSpy C2 over HTTP POST.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "enki.2026.kimsuky-webex-httpSpy-jsonping",
  "title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
  "description": "ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.",
  "actor_id": "APT43",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_attribution": {
    "actor": "Kimsuky",
    "aliases": [
      "APT43",
      "Velvet Chollima",
      "Emerald Sleet"
    ],
    "attribution_source": "ENKI Whitehat",
    "confidence": "ENKI attributes the activity to Kimsuky based on attack infrastructure, code patterns, RC4 key reuse, and links to previous HttpSpy activity.",
    "caveat": "This chain models only the Webex/HttpSpy lane; JSONPing is included as context."
  },
  "x_source": {
    "title": "Kimsuky’s Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant",
    "publisher": "ENKI Whitehat",
    "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
    "published_at": "2026-05-27",
    "accessed_at": "2026-05-31T19:14:15.240001+00:00",
    "source_type": "original vendor research report",
    "source_policy": "Only ENKI Whitehat original source used."
  },
  "x_source_title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
  "x_source_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
  "x_resource_links_verified": [
    {
      "url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified title/date, Kimsuky attribution, fake Webex URL, download URLs, fix-camera.jse, mTSTCv8.mdxm, engine.dat, cacheMon.dat, HttpSpy C2 and JSONPing context."
    }
  ],
  "x_iocs": {
    "urls": [
      "https://conference.birdriver.org/",
      "https://download.birdriver.org/download.php?id=425623",
      "https://download.birdriver.org/download.php?id=393156",
      "http://hdrgdrfes.chickenkiller.com/index.php"
    ],
    "files": [
      "fix-camera.jse",
      "C:\\ProgramData\\mTSTCv8.mdxm",
      "C:\\ProgramData\\meeting.html",
      "engine.dat",
      "spyInster.dll",
      "C:\\Users\\Public\\cacheMon.dat",
      "spyLoader.dll",
      "httpSpy.dll"
    ],
    "rc4_keys": [
      "%^fseRW#r3qwrwfsddREfGEgse)(14);",
      "RGdcsedfd@#%dg9ser3$#$^@34sdfxl ",
      "#RsfsetraW#@EsfesgsgAJOPj4eml;"
    ]
  },
  "x_limitations": [
    "Legitimate Webex meeting URL is not published and not invented.",
    "The March 2026 security-software lane is not merged into this Webex chain.",
    "JSONPing is modeled as contextual associated tradecraft, not as a required Webex-chain edge."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "url",
      "value": "https://conference.birdriver.org/",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states Kimsuky distributed malware through a malicious page impersonating Cisco Webex and gives the fake meeting URL as hxxps://conference.birdriver[.]org/.",
        "ENKI notes the page was crafted based on an actual Webex meeting schedule."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "fake_webex_lure"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "https://download.birdriver.org/download.php?id=425623",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states clicking the fake Webex camera-patch confirmation downloads an ALZip archive from hxxps://download[.]birdriver[.]org/download.php?id=425623."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "archive_download"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "fix-camera.jse",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states the archive contains fix-camera.jse and that executing it ultimately installs an HttpSpy variant.",
        "ENKI says fix-camera.jse drops and executes a base64-encoded payload and decoy HTML file."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "jse_dropper"
    },
    {
      "id": "e004",
      "type": "file",
      "value": "C:\\ProgramData\\meeting.html decoy redirector",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states the malware drops and opens meeting.html, which immediately redirects the victim to a legitimate Webex meeting room. The legitimate room URL is not published."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "decoy_redirect"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states fix-camera.jse drops the final decoded payload to C:\\ProgramData\\mTSTCv8.mdxm and executes it with hidden PowerShell/regsvr32.",
        "ENKI identifies mTSTCv8.mdxm as a downloader with export name loadDll.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "downloader"
    },
    {
      "id": "e006",
      "type": "url",
      "value": "https://download.birdriver.org/download.php?id=393156",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states mTSTCv8.mdxm downloads an additional payload from hxxps://download[.]birdriver[.]org/download.php?id=393156."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "second_stage_download"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "engine.dat / spyInster.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states engine.dat is downloaded by loadDll.dll, has export name spyInster.dll, and installs the final HttpSpy payload."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "installer_payload"
    },
    {
      "id": "e008",
      "type": "file",
      "value": "C:\\Users\\Public\\cacheMon.dat / spyLoader.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states engine.dat drops cacheMon.dat, appends DATA_CONF ADS, registers autorun, and executes it with regsvr32.",
        "ENKI identifies cacheMon.dat as an HttpSpy loader with export name spyLoader.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "loader_payload"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "HttpSpy main module / httpSpy.dll",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI states cacheMon.dat decrypts the RC4-encrypted HttpSpy main module, loads it in memory, resolves the hello export, and executes it.",
        "ENKI identifies the final payload as a RAT with export name httpSpy.dll."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "final_rat"
    },
    {
      "id": "e010",
      "type": "url",
      "value": "http://hdrgdrfes.chickenkiller.com/index.php",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI’s extracted HttpSpy configuration lists the primary C&C URL as hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php.",
        "ENKI states HttpSpy receives remote commands via HTTP POST and sends data to the C&C server."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "c2_endpoint"
    },
    {
      "id": "e011",
      "type": "file",
      "value": "JSONPing local infection-verification server on localhost:62001 /ping?callback=...",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "ENKI Whitehat report",
      "evidence": [
        "ENKI describes JSONPing as fake pages querying a local server created by malware via JSONP.",
        "ENKI states calc.exe spawns a localhost:62001 server returning JSONP from /ping with callback."
      ],
      "x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
      "x_chain_stage": "associated_verification_tradecraft",
      "x_modeled_as_context_only": true
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "redirector",
      "techniques": [
        "IIM-T015"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Associated JSONPing context; not terminal Webex C2 path."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Fake Webex page downloads from download.birdriver.org/download.php?id=425623."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Downloaded ALZip archive contains fix-camera.jse."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "fix-camera.jse drops meeting.html decoy."
      ]
    },
    {
      "from": "e004",
      "to": "e001",
      "type": "redirect",
      "sequence_order": 4,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "meeting.html redirects to a legitimate Webex room; exact legitimate URL not published."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "drops",
      "sequence_order": 5,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "fix-camera.jse decodes and drops mTSTCv8.mdxm."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "execute",
      "sequence_order": 6,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "mTSTCv8.mdxm executed via hidden PowerShell/regsvr32."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "download",
      "sequence_order": 7,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "mTSTCv8.mdxm downloads from download.birdriver.org/download.php?id=393156."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 8,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat/spyInster.dll identified as downloaded payload."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 9,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat drops cacheMon.dat and configuration ADS."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "execute",
      "sequence_order": 10,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "engine.dat executes cacheMon.dat using regsvr32."
      ]
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "cacheMon.dat decrypts, loads and executes HttpSpy main module."
      ]
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "HttpSpy primary C2 is hdrgdrfes.chickenkiller.com/index.php and commands are via HTTP POST."
      ]
    },
    {
      "from": "e011",
      "to": "e001",
      "type": "references",
      "sequence_order": 13,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "JSONPing is associated fake-page verification tradecraft; contextual relation only."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Phishing: Spearphishing Link",
      "tactic": "Initial Access",
      "comment": "Fake Webex social-engineering page."
    },
    {
      "technique_id": "T1059.007",
      "name": "Command and Scripting Interpreter: JavaScript",
      "tactic": "Execution",
      "comment": "fix-camera.jse staged payload."
    },
    {
      "technique_id": "T1218.010",
      "name": "System Binary Proxy Execution: Regsvr32",
      "tactic": "Defense Evasion",
      "comment": "Payload stages executed via regsvr32."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "HttpSpy C2 over HTTP POST."
    }
  ]
}