Listen to this Post
A new wave of cyberattacks from North Korean threat actors is exploiting trusted Microsoft infrastructure to bypass traditional security measures. Using Visual Studio Code (VS Code) tunnels, these campaigns allow attackers to gain full remote access to targeted systems without deploying conventional malware, making detection increasingly difficult for defenders.
Introduction
Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign tied to the Democratic People’s Republic of Korea (DPRK) that leverages a trusted Microsoft tool—VS Code—to infiltrate systems. By exploiting built-in tunneling features, attackers are now able to blend their operations into normal developer workflows, effectively hiding in plain sight. The campaign primarily targets South Korean organizations, using government-themed lures to convince victims to open malicious files.
the Campaign
In this campaign, discovered by Darktrace, attackers send phishing emails to South Korean targets, appearing to come from official government sources. The emails contain fake documents disguised as Hangul Word Processor (HWPX) files but are actually JSE files. Once opened, these files silently install VS Code and use its tunneling feature to grant attackers full remote control.
This approach eliminates the need for traditional command-and-control (C2) infrastructure or malware, instead relying on living-off-the-land (LotL) tactics that exploit legitimate software already trusted in enterprise environments. According to Darktrace, this appears to be the first known use of VS Code tunneling by DPRK-linked actors, though VS Code abuse has been documented in other campaigns, including Chinese APT operations.
The attack begins with carefully crafted emails, often themed around South Korean government initiatives such as graduate school selection programs. Metadata analysis indicates that attackers copied and edited legitimate government documents to increase authenticity. When a target executes the malicious file, a VS Code tunnel—named “bizeugene”—is established, creating an encrypted connection to Microsoft’s tunnel service.
Attackers can then log in using GitHub or Microsoft credentials to access the compromised system through VS Code, interacting with the terminal and file browser. This access enables them to exfiltrate sensitive data, deploy payloads, and conduct other malicious activities while remaining largely invisible to traditional detection systems.
LotL techniques like these are particularly challenging for security teams because they use legitimate applications, which are digitally signed and trusted. Experts recommend applying strict access controls, enforcing least-privilege principles, and monitoring privileged behavior analytics to detect anomalies. Darktrace also provided indicators of compromise (IoCs) and relevant MITRE ATT&CK techniques to help organizations identify and mitigate this threat.
Historical Abuse of VS Code
VS Code has previously been exploited in cyber campaigns. Earlier this month, researchers at Jamf revealed that DPRK actors behind the “Contagious Interview” campaign used VS Code to deliver a previously unknown backdoor capable of remote code execution without user interaction. Abuse of VS Code tunnels was first documented in 2023 and has since been leveraged by multiple APT groups targeting governments and critical infrastructure across Asia.
The ongoing campaign highlights the growing trend of attackers leveraging developer tools for malicious purposes. By co-opting tools widely used in enterprise and developer environments, adversaries reduce the risk of detection and expand their attack surface without deploying traditional malware.
What Undercode Say:
The DPRK’s use of VS Code tunnels represents a significant evolution in cyberattack methodology. Traditionally, nation-state actors relied heavily on malware and custom C2 servers to maintain persistence within target networks. By exploiting legitimate developer tools, they are now able to bypass conventional endpoint security systems that are optimized to detect known threats. This “living-off-the-land” approach has several implications:
Blending with normal operations: Security monitoring often flags unusual network traffic or suspicious executable files. When attackers use software like VS Code that is already trusted and frequently used in development environments, these signals are muted, reducing the likelihood of detection.
Operational efficiency: Establishing a VS Code tunnel removes the need for maintaining separate C2 infrastructure. Attackers save time and resources while retaining full control over compromised systems.
Targeting strategy: The DPRK campaign demonstrates precise targeting, selecting individuals likely to interact with government-themed documents. Metadata analysis suggests that attackers study public documents to craft realistic lures, reflecting advanced reconnaissance and planning.
Challenges for defenders: Organizations cannot rely solely on signature-based antivirus or firewall protections. The emphasis must shift toward behavioral analytics, privilege management, and anomaly detection. Continuous monitoring of network traffic for encrypted tunnels that do not match standard usage patterns could be key in identifying these attacks.
Implications for software security: VS Code’s tunneling feature, while designed for legitimate remote development, illustrates the dual-use nature of modern software. Developers and IT teams must recognize that features enabling convenience and collaboration can also become attack vectors if misused.
Future attack trends: The use of trusted infrastructure as an attack medium will likely increase. Other nation-state actors may adopt similar methods, exploiting collaboration platforms, cloud services, and development tools to achieve stealthy persistence and lateral movement within networks.
Strategic defense recommendations: Applying least-privilege access, segmenting developer environments, and monitoring for anomalous tunnel creation are critical. Security teams should integrate these practices into incident response protocols to reduce the risk of compromise from LotL attacks.
Overall, this campaign signals a shift in cyber operations: attackers are moving away from overt malware toward methods that exploit the trust and functionality of everyday software. The line between legitimate operations and malicious activity is becoming increasingly blurred, demanding more sophisticated detection and response strategies.
Fact Checker Results
✅ North Korean actors are exploiting VS Code tunnels for remote access.
✅ The campaign targets South Korean officials using government-themed phishing emails.
❌ There is no evidence of traditional malware being used in this specific attack vector; it relies on living-off-the-land techniques.
Prediction
📊 The DPRK’s shift toward abusing trusted development tools is likely to inspire similar tactics globally. Enterprises that rely heavily on Microsoft and developer-centric software may become prime targets. Security solutions will need to focus increasingly on behavioral analytics and anomaly detection rather than signature-based detection. Future campaigns may expand to cloud development environments, increasing the scale and stealth of attacks.
If you want, I can also create a visually optimized infographic summarizing this DPRK VS Code attack, which would make the technical flow more digestible for readers. Do you want me to do that next?
▶️ Related Video (88% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
