enki.2026.kimsuky-webex-httpSpy-jsonping
Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2
ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsurl
https://conference.birdriver.org/
url
https://download.birdriver.org/download.php?id=425623
file
fix-camera.jse
file
C:\ProgramData\meeting.html decoy redirector
file
C:\ProgramData\mTSTCv8.mdxm / loadDll.dll
url
https://download.birdriver.org/download.php?id=393156
file
engine.dat / spyInster.dll
file
C:\Users\Public\cacheMon.dat / spyLoader.dll
file
HttpSpy main module / httpSpy.dll
url
http://hdrgdrfes.chickenkiller.com/index.php
file
JSONPing local infection-verification server on localhost:62001 /ping?callback=...
Relations
directed infrastructure edgese001downloade002
confirmed
e002dropse003
confirmed
e003dropse004
confirmed
e004redirecte001
confirmed
e003dropse005
confirmed
e003executee005
confirmed
e005downloade006
confirmed
e006dropse007
confirmed
e007dropse008
confirmed
e007executee008
confirmed
e008executee009
confirmed
e009connecte010
confirmed
e011referencese001
tentative
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
url | https://conference.birdriver.org/ |
ENKI states Kimsuky distributed malware through a malicious page impersonating Cisco Webex and gives the fake meeting URL as hxxps://conference.birdriver[.]org/. ENKI notes the page was crafted based on an actual Webex meeting schedule. |
e002 |
url | https://download.birdriver.org/download.php?id=425623 |
ENKI states clicking the fake Webex camera-patch confirmation downloads an ALZip archive from hxxps://download[.]birdriver[.]org/download.php?id=425623. |
e003 |
file | fix-camera.jse |
ENKI states the archive contains fix-camera.jse and that executing it ultimately installs an HttpSpy variant. ENKI says fix-camera.jse drops and executes a base64-encoded payload and decoy HTML file. |
e004 |
file | C:\ProgramData\meeting.html decoy redirector |
ENKI states the malware drops and opens meeting.html, which immediately redirects the victim to a legitimate Webex meeting room. The legitimate room URL is not published. |
e005 |
file | C:\ProgramData\mTSTCv8.mdxm / loadDll.dll |
ENKI states fix-camera.jse drops the final decoded payload to C:\ProgramData\mTSTCv8.mdxm and executes it with hidden PowerShell/regsvr32. ENKI identifies mTSTCv8.mdxm as a downloader with export name loadDll.dll. |
e006 |
url | https://download.birdriver.org/download.php?id=393156 |
ENKI states mTSTCv8.mdxm downloads an additional payload from hxxps://download[.]birdriver[.]org/download.php?id=393156. |
e007 |
file | engine.dat / spyInster.dll |
ENKI states engine.dat is downloaded by loadDll.dll, has export name spyInster.dll, and installs the final HttpSpy payload. |
e008 |
file | C:\Users\Public\cacheMon.dat / spyLoader.dll |
ENKI states engine.dat drops cacheMon.dat, appends DATA_CONF ADS, registers autorun, and executes it with regsvr32. ENKI identifies cacheMon.dat as an HttpSpy loader with export name spyLoader.dll. |
e009 |
file | HttpSpy main module / httpSpy.dll |
ENKI states cacheMon.dat decrypts the RC4-encrypted HttpSpy main module, loads it in memory, resolves the hello export, and executes it. ENKI identifies the final payload as a RAT with export name httpSpy.dll. |
e010 |
url | http://hdrgdrfes.chickenkiller.com/index.php |
ENKI’s extracted HttpSpy configuration lists the primary C&C URL as hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php. ENKI states HttpSpy receives remote commands via HTTP POST and sends data to the C&C server. |
e011 |
file | JSONPing local infection-verification server on localhost:62001 /ping?callback=... |
ENKI describes JSONPing as fake pages querying a local server created by malware via JSONP. ENKI states calc.exe spawns a localhost:62001 server returning JSONP from /ping with callback. |
ATT&CK annotations
optional complementary mappingFake Webex social-engineering page.
fix-camera.jse staged payload.
Payload stages executed via regsvr32.
HttpSpy C2 over HTTP POST.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "enki.2026.kimsuky-webex-httpSpy-jsonping",
"title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
"description": "ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.",
"actor_id": "APT43",
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_attribution": {
"actor": "Kimsuky",
"aliases": [
"APT43",
"Velvet Chollima",
"Emerald Sleet"
],
"attribution_source": "ENKI Whitehat",
"confidence": "ENKI attributes the activity to Kimsuky based on attack infrastructure, code patterns, RC4 key reuse, and links to previous HttpSpy activity.",
"caveat": "This chain models only the Webex/HttpSpy lane; JSONPing is included as context."
},
"x_source": {
"title": "Kimsuky’s Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant",
"publisher": "ENKI Whitehat",
"url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"published_at": "2026-05-27",
"accessed_at": "2026-05-31T19:14:15.240001+00:00",
"source_type": "original vendor research report",
"source_policy": "Only ENKI Whitehat original source used."
},
"x_source_title": "Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2",
"x_source_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_resource_links_verified": [
{
"url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:14:15.240001+00:00",
"notes": "Verified title/date, Kimsuky attribution, fake Webex URL, download URLs, fix-camera.jse, mTSTCv8.mdxm, engine.dat, cacheMon.dat, HttpSpy C2 and JSONPing context."
}
],
"x_iocs": {
"urls": [
"https://conference.birdriver.org/",
"https://download.birdriver.org/download.php?id=425623",
"https://download.birdriver.org/download.php?id=393156",
"http://hdrgdrfes.chickenkiller.com/index.php"
],
"files": [
"fix-camera.jse",
"C:\\ProgramData\\mTSTCv8.mdxm",
"C:\\ProgramData\\meeting.html",
"engine.dat",
"spyInster.dll",
"C:\\Users\\Public\\cacheMon.dat",
"spyLoader.dll",
"httpSpy.dll"
],
"rc4_keys": [
"%^fseRW#r3qwrwfsddREfGEgse)(14);",
"RGdcsedfd@#%dg9ser3$#$^@34sdfxl ",
"#RsfsetraW#@EsfesgsgAJOPj4eml;"
]
},
"x_limitations": [
"Legitimate Webex meeting URL is not published and not invented.",
"The March 2026 security-software lane is not merged into this Webex chain.",
"JSONPing is modeled as contextual associated tradecraft, not as a required Webex-chain edge."
],
"entities": [
{
"id": "e001",
"type": "url",
"value": "https://conference.birdriver.org/",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states Kimsuky distributed malware through a malicious page impersonating Cisco Webex and gives the fake meeting URL as hxxps://conference.birdriver[.]org/.",
"ENKI notes the page was crafted based on an actual Webex meeting schedule."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "fake_webex_lure"
},
{
"id": "e002",
"type": "url",
"value": "https://download.birdriver.org/download.php?id=425623",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states clicking the fake Webex camera-patch confirmation downloads an ALZip archive from hxxps://download[.]birdriver[.]org/download.php?id=425623."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "archive_download"
},
{
"id": "e003",
"type": "file",
"value": "fix-camera.jse",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states the archive contains fix-camera.jse and that executing it ultimately installs an HttpSpy variant.",
"ENKI says fix-camera.jse drops and executes a base64-encoded payload and decoy HTML file."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "jse_dropper"
},
{
"id": "e004",
"type": "file",
"value": "C:\\ProgramData\\meeting.html decoy redirector",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states the malware drops and opens meeting.html, which immediately redirects the victim to a legitimate Webex meeting room. The legitimate room URL is not published."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "decoy_redirect"
},
{
"id": "e005",
"type": "file",
"value": "C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states fix-camera.jse drops the final decoded payload to C:\\ProgramData\\mTSTCv8.mdxm and executes it with hidden PowerShell/regsvr32.",
"ENKI identifies mTSTCv8.mdxm as a downloader with export name loadDll.dll."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "downloader"
},
{
"id": "e006",
"type": "url",
"value": "https://download.birdriver.org/download.php?id=393156",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states mTSTCv8.mdxm downloads an additional payload from hxxps://download[.]birdriver[.]org/download.php?id=393156."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "second_stage_download"
},
{
"id": "e007",
"type": "file",
"value": "engine.dat / spyInster.dll",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states engine.dat is downloaded by loadDll.dll, has export name spyInster.dll, and installs the final HttpSpy payload."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "installer_payload"
},
{
"id": "e008",
"type": "file",
"value": "C:\\Users\\Public\\cacheMon.dat / spyLoader.dll",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states engine.dat drops cacheMon.dat, appends DATA_CONF ADS, registers autorun, and executes it with regsvr32.",
"ENKI identifies cacheMon.dat as an HttpSpy loader with export name spyLoader.dll."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "loader_payload"
},
{
"id": "e009",
"type": "file",
"value": "HttpSpy main module / httpSpy.dll",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI states cacheMon.dat decrypts the RC4-encrypted HttpSpy main module, loads it in memory, resolves the hello export, and executes it.",
"ENKI identifies the final payload as a RAT with export name httpSpy.dll."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "final_rat"
},
{
"id": "e010",
"type": "url",
"value": "http://hdrgdrfes.chickenkiller.com/index.php",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI’s extracted HttpSpy configuration lists the primary C&C URL as hxxp://hdrgdrfes[.]chickenkiller[.]com/index.php.",
"ENKI states HttpSpy receives remote commands via HTTP POST and sends data to the C&C server."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "c2_endpoint"
},
{
"id": "e011",
"type": "file",
"value": "JSONPing local infection-verification server on localhost:62001 /ping?callback=...",
"observed_at": "2026-04-30T00:00:00Z",
"source": "ENKI Whitehat report",
"evidence": [
"ENKI describes JSONPing as fake pages querying a local server created by malware via JSONP.",
"ENKI states calc.exe spawns a localhost:62001 server returning JSONP from /ping with callback."
],
"x_reference_url": "https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant",
"x_chain_stage": "associated_verification_tradecraft",
"x_modeled_as_context_only": true
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e002",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e004",
"role": "redirector",
"techniques": [
"IIM-T015"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e005",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e006",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e007",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e008",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e009",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e010",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e011",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false,
"review_notes": "Associated JSONPing context; not terminal Webex C2 path."
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "download",
"sequence_order": 1,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Fake Webex page downloads from download.birdriver.org/download.php?id=425623."
]
},
{
"from": "e002",
"to": "e003",
"type": "drops",
"sequence_order": 2,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Downloaded ALZip archive contains fix-camera.jse."
]
},
{
"from": "e003",
"to": "e004",
"type": "drops",
"sequence_order": 3,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"fix-camera.jse drops meeting.html decoy."
]
},
{
"from": "e004",
"to": "e001",
"type": "redirect",
"sequence_order": 4,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"meeting.html redirects to a legitimate Webex room; exact legitimate URL not published."
]
},
{
"from": "e003",
"to": "e005",
"type": "drops",
"sequence_order": 5,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"fix-camera.jse decodes and drops mTSTCv8.mdxm."
]
},
{
"from": "e003",
"to": "e005",
"type": "execute",
"sequence_order": 6,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"mTSTCv8.mdxm executed via hidden PowerShell/regsvr32."
]
},
{
"from": "e005",
"to": "e006",
"type": "download",
"sequence_order": 7,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"mTSTCv8.mdxm downloads from download.birdriver.org/download.php?id=393156."
]
},
{
"from": "e006",
"to": "e007",
"type": "drops",
"sequence_order": 8,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"engine.dat/spyInster.dll identified as downloaded payload."
]
},
{
"from": "e007",
"to": "e008",
"type": "drops",
"sequence_order": 9,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"engine.dat drops cacheMon.dat and configuration ADS."
]
},
{
"from": "e007",
"to": "e008",
"type": "execute",
"sequence_order": 10,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"engine.dat executes cacheMon.dat using regsvr32."
]
},
{
"from": "e008",
"to": "e009",
"type": "execute",
"sequence_order": 11,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"cacheMon.dat decrypts, loads and executes HttpSpy main module."
]
},
{
"from": "e009",
"to": "e010",
"type": "connect",
"sequence_order": 12,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"HttpSpy primary C2 is hdrgdrfes.chickenkiller.com/index.php and commands are via HTTP POST."
]
},
{
"from": "e011",
"to": "e001",
"type": "references",
"sequence_order": 13,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "tentative",
"x_evidence": [
"JSONPing is associated fake-page verification tradecraft; contextual relation only."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.002",
"name": "Phishing: Spearphishing Link",
"tactic": "Initial Access",
"comment": "Fake Webex social-engineering page."
},
{
"technique_id": "T1059.007",
"name": "Command and Scripting Interpreter: JavaScript",
"tactic": "Execution",
"comment": "fix-camera.jse staged payload."
},
{
"technique_id": "T1218.010",
"name": "System Binary Proxy Execution: Regsvr32",
"tactic": "Defense Evasion",
"comment": "Payload stages executed via regsvr32."
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control",
"comment": "HttpSpy C2 over HTTP POST."
}
]
}