Kimsuky Weaponizes VS Code Tunnels in Active APT Campaign Against Corporate Networks
North Korean APT Turns Developer Tooling Into a Backdoor
Between March and April 2026, the North Korean state-sponsored group Kimsuky (also tracked as Velvet Chollima) ran a targeted campaign against South Korean military and corporate entities, deploying two new malware families — HTTPSpy and HelloDoor — alongside an increasingly common living-off-the-land technique: abusing Visual Studio Code Remote Tunnels for persistent, low-noise access.
Why This Matters to Every Organization Running VS Code
VS Code tunnels are a legitimate Microsoft feature that allows developers to proxy a remote shell through Microsoft's relay infrastructure. That's exactly what makes them dangerous in attacker hands: outbound tunnel traffic blends into normal developer activity, bypasses most perimeter controls, and requires no inbound firewall rules.
Kimsuky's use of this technique is not novel in isolation — multiple threat actors have adopted it since 2023 — but the pairing with two purpose-built implants raises the stakes:
- HTTPSpy functions as an HTTP-based surveillance tool, harvesting browser data and credentials from compromised hosts.
- HelloDoor is a modular backdoor with remote command execution capabilities, allowing operators to stage additional payloads after initial access.
The initial access vector remains Kimsuky's signature: highly tailored spearphishing, in this campaign targeting personnel connected to South Korean defense and enterprise sectors. Once a foothold is established, VS Code tunnels give operators a durable, authenticated channel that looks like a developer working remotely.
What You Should Do Now
1. Audit VS Code tunnel usage immediately. Run code tunnel status across developer endpoints or query your EDR for code-tunnel processes. If your organization has no legitimate use for VS Code tunnels, disable the feature via policy. Microsoft provides a device policy mechanism to restrict tunnel creation.
2. Block or monitor the Microsoft tunnel relay domains at your perimeter. Legitimate tunnel traffic transits tunnel.vscode.dev and *.vscode-cdn.net. If developers in your environment have no authorized need for remote tunnels, create a deny rule. If tunnels are authorized, ensure traffic is logged and reviewed.
3. Hunt for HTTPSpy and HelloDoor indicators. Search your EDR telemetry and proxy logs for the IOCs published alongside this campaign. Focus on unusual child processes spawned from code.exe or node.exe, and outbound connections to unfamiliar infrastructure from VS Code processes.
4. Reinforce spearphishing defenses. Kimsuky's entry point is social engineering. Verify that your mail gateway is enforcing DMARC reject policies, and that employees with access to defense-related or sensitive corporate systems are enrolled in phishing-resistant MFA (passkeys or hardware keys — not SMS or TOTP).
5. Patch and inventory credential stores. HTTPSpy specifically targets browser-stored credentials. Enforce enterprise password manager policies and remove saved credentials from Chromium-based browsers on sensitive workstations.
Synthesized by Claude · sanity-checked before publish.