Skip to main content
Back to Blog
Kimsuky Uses HTTPSpy and VS Code Tunnels in Targeted Attacks on Military and Corporate Networks
ADVISORYJun 1, 20265 min read

Kimsuky Uses HTTPSpy and VS Code Tunnels in Targeted Attacks on Military and Corporate Networks

North Korean state-sponsored group Kimsuky, also tracked as Velvet Chollima, has been linked to a new wave of targeted attacks against South Korean military and corporate entities in March and April 2026, according to reporting by The Hacker News. The campaign introduces new malware tools and abuses legitimate developer infrastructure to evade detection.

What Happened

Kimsuky deployed two newly identified malware tools, HTTPSpy and HelloDoor, as part of this campaign. Attackers used tailored social engineering tactics to gain initial access, including spoofed security software installation pages and a fake Webex meeting page designed to trick targets into executing malicious payloads.

A particularly notable element of this campaign is the abuse of Visual Studio Code Tunnels. VS Code Tunnels are a legitimate remote development feature that allows developers to connect to a machine over the internet through Microsoft's infrastructure. Kimsuky appears to have leveraged this feature to establish persistent, hard-to-detect remote access on compromised systems, effectively hiding command-and-control traffic inside a trusted developer channel.

Why This Matters to Small Teams

At first glance, a campaign targeting South Korean military organizations may seem remote from the concerns of an indie developer or startup founder. But the tactics used here are directly relevant to anyone building software in 2026. Spoofed software installation pages and fake video-conferencing links are not targeted exploits reserved for nation-state victims. They are phishing techniques that work against anyone, especially developers who install tools and join calls frequently.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

The abuse of VS Code Tunnels is worth paying close attention to. Many small teams rely on remote development features, cloud-hosted dev environments, and tunneling tools as part of their daily workflow. These tools create outbound connections that most firewalls and security tools permit by default. An attacker who compromises a developer machine and installs a tunnel has persistent access that can be extremely difficult to detect through normal network monitoring.

Social engineering remains the most reliable attack entry point across every sector. A convincing fake Webex invitation or a cloned software download page requires no zero-day exploit. It only requires a moment of distraction from someone who is busy shipping product. Solo developers and small teams are often more exposed here because there is no IT security team reviewing suspicious links or validating software sources before installation.

How to Stay Protected

  1. Verify software downloads against official sources. Before installing any security tool, IDE extension, or productivity software, confirm the download URL matches the vendor's official domain. Check the publisher signature on executable files where possible.

  2. Audit remote access and tunneling tools on your machines. Review whether VS Code Tunnels, ngrok, Cloudflare Tunnel, or similar tools are running on any development or production machine. If you did not explicitly enable them, treat it as a serious incident indicator.

  3. Apply the principle of least privilege to developer machines. Developers should not run day-to-day tasks as local administrators. Restricting privilege limits the damage a malicious payload can do even after a successful phishing click.

  4. Train yourself and any co-founders or contractors to scrutinize meeting invitations. Fake Webex and Zoom pages are a known delivery vector. Bookmark the real login URLs and navigate directly rather than clicking links from email or chat messages.

  5. Monitor outbound connections from development machines. Use endpoint tools or firewall logs to flag unexpected outbound connections to cloud relay services, especially from machines that do not normally use remote tunneling features.

  6. Keep browsers and OS patched. Many drive-by download pages targeting developers rely on browser vulnerabilities or prompt users to disable security warnings. Up-to-date software closes a significant portion of these avenues.

How UNPWNED Helps

UNPWNED scans your public-facing web properties for misconfigurations, missing security headers, exposed sensitive paths, and other surface-level weaknesses that social engineering campaigns often exploit or probe first. While UNPWNED cannot monitor your local development machines or detect malware on endpoints, identifying and hardening your web presence reduces the overall attack surface an adversary like Kimsuky would profile before targeting your organization. Regularly scanning your login pages, download portals, and subdomains ensures you are not inadvertently presenting spoofable or misconfigured pages to attackers or your own users.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.

Source

The Hacker News

Discussion (0)

Leave a comment

Comments are moderated. Be respectful. Spam and self-promotion will be removed.

Is your site exposed to issues like these?

SCAN YOUR SITE FREE
Kimsuky Uses HTTPSpy and VS Code Tunnels in Targeted Attacks on Military and Corporate Networks | UNPWNED