Kimsuky Strikes South Korea with HTTPSpy, HelloDoor, and VS Code Tunnels

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

According to recent reports, the North Korean state-sponsored threat actor Kimsuky (also tracked as Velvet Chollima) has been linked to a new wave of cyberattacks targeting South Korean military entities and corporations. The attacks, observed between March and April 2026, showcase an expanded toolkit and sophisticated social engineering techniques.

Social Engineering Lures

Kimsuky employed tailored social engineering tactics to trick victims. Attackers spoofed security software installation pages and created a fake Webex meeting page to lure targets into downloading malicious payloads.

New Malware: HTTPSpy and HelloDoor

The threat actor introduced two new malware strains: HTTPSpy, a spyware capable of exfiltrating sensitive data, and HelloDoor, a backdoor that enables persistent remote access. These tools were delivered via spear-phishing emails or compromised websites.

Leveraging VS Code Tunnels

In a novel technique, Kimsuky abused Visual Studio Code (VS Code) tunnels for command-and-control (C2) communication. By using legitimate VS Code remote development features, the attackers blended malicious traffic with normal network activity, evading detection.

Implications for Cybersecurity

The expansion of Kimsuky's arsenal highlights the evolving threat landscape in East Asia. Organizations in South Korea, particularly in defense and technology sectors, should enhance monitoring for unusual VS Code tunnel usage and implement robust email security measures to counter social engineering attacks.