Ddos 
Cyber spies aligned with North Korea are now weaponizing a tool beloved by developers worldwide—Visual Studio Code—to burrow into victim networks undetected. A new investigation by Darktrace reveals a sophisticated campaign targeting South Korean users, blending government-themed decoys with legitimate Microsoft infrastructure to bypass traditional security defenses.
The campaign, which Darktrace analysts link to the Democratic People’s Republic of Korea (DPRK), leverages the trust placed in legitimate software to hide malicious traffic in plain sight.
The attack begins not with an exploit, but with a lure. Victims are targeted via spear-phishing emails containing a Javascript Encoded (JSE) script disguised as a harmless Hangul Word Processor (HWPX) document.
To lower the victim’s guard, the malware opens a decoy document titled “Documents related to selection of students for the domestic graduate school master’s night program in the first half of 2026”.
According to the report, “The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service”. Darktrace analysts noted that the attackers appear to have stolen actual documents from the government’s website and “edited them to appear legitimate”.
Once the script executes, it doesn’t just install a standard backdoor. Instead, it deploys a Visual Studio Code (VS Code) tunnel. This feature, designed to let developers collaborate remotely, is repurposed here as a covert command-and-control (C2) channel.
“By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers,” the report explains.
This tactic is particularly dangerous because it blends in with normal developer activity. “The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed”.
The operation relies on a compromised legitimate website to coordinate the connection. The malware sends a connection code and a specific tunnel token—”bizeugene”—to a hacked South Korean site, yespp[.]co[.]kr.
This creates a bridge that allows the attackers to control the victim’s machine remotely, all while traffic flows through reputable Microsoft domains.
While the tooling is novel, the fingerprints are familiar. Darktrace concludes that the “use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors”.
Related Posts:
- Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
- DragonForce Ransomware Strikes Manufacturing Sector with Brute-Force, Exfiltrating Data Over SSH to Russian Host
- Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
- SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
