Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

Cybersecurity | Source: Thehackernews

Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels North Korean threat actor Kimsuky has launched a new wave of cyber attacks on South Korean military and corporate entities, leveraging advanced social engineering tactics and expanding its arsenal with HTTPSpy, HelloDoor, and VS Code tunnels to evade detection and gain unauthorized access.

The North Korean state-sponsored threat actor known as Kimsuky, also referred to as Velvet Chollima, has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. This group has been known for its sophisticated and targeted attacks, often using social engineering tactics to trick victims into divulging sensitive information or gaining access to their systems. In this latest campaign, Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged the trust and familiarity of these platforms to deceive victims.

One of the key tools used by Kimsuky in this campaign is HTTPSpy, a custom-made malware designed to intercept and inspect HTTP requests, allowing the attackers to steal sensitive information such as login credentials and encryption keys. This malware is particularly concerning, as it can be used to gain unauthorized access to a wide range of systems and applications, from web-based email and banking services to internal corporate networks. By deploying HTTPSpy, Kimsuky has significantly expanded its capabilities and can now extract valuable data from its targets, further enhancing its intelligence gathering and espionage activities.

In addition to HTTPSpy, Kimsuky has also expanded its arsenal with HelloDoor and VS Code tunnels. HelloDoor is a backdoor malware that allows the attackers to establish a persistent connection with the compromised system, enabling them to execute commands, transfer files, and install additional malware. This backdoor is particularly stealthy, as it uses legitimate system processes and network protocols to blend in with normal traffic, making it difficult to detect. VS Code tunnels, on the other hand, are a novel technique used by Kimsuky to establish a covert communication channel with the compromised system. By leveraging the Visual Studio Code (VS Code) development environment, the attackers can create a tunnel that allows them to transmit data and commands to the compromised system, all while evading detection by traditional security controls.

The use of these advanced tools and techniques by Kimsuky highlights the growing sophistication and capabilities of North Korean state-sponsored threat actors. As the cyber threat landscape continues to evolve, it is essential for organizations to stay vigilant and proactive in their defense strategies, leveraging cutting-edge security controls and threat intelligence to detect and respond to these types of attacks. The deployment of HTTPSpy, HelloDoor, and VS Code tunnels by Kimsuky serves as a stark reminder of the importance of robust security measures, including regular software updates, network segmentation, and employee education and awareness programs.

The attribution of these attacks to Kimsuky is significant, as it highlights the ongoing efforts of North Korean threat actors to target South Korean military and corporate entities. The use of social engineering tactics, such as spoofing security software installation pages and crafting fake Webex meeting pages, demonstrates the attackers' ability to adapt and evolve their techniques to evade detection and exploit the trust of their victims. As the cyber threat landscape continues to shift, it is essential for organizations to prioritize threat intelligence and stay informed about the latest tactics, techniques, and procedures (TTPs) used by threat actors like Kimsuky.

In conclusion, the deployment of HTTPSpy, HelloDoor, and VS Code tunnels by Kimsuky marks a significant escalation in the capabilities and sophistication of North Korean state-sponsored threat actors. As the cyber threat landscape continues to evolve, it is essential for organizations to stay vigilant and proactive in their defense strategies, leveraging cutting-edge security controls and threat intelligence to detect and respond to these types of attacks. By prioritizing threat intelligence and staying informed about the latest TTPs used by threat actors like Kimsuky, organizations can better protect themselves against the growing threat of cyber attacks and maintain the security and integrity of their systems and data.