Darktrace analysts identified a DPRK-aligned campaign targeting users in South Korea that delivered a JSE script disguised as a Hangul (HWPX) document to deploy a Visual Studio Code tunnel for prolonged remote access. The attacker downloaded legitimate VS Code binaries, launched a tunnel named “bizeugene”, authorized it via a GitHub device code, and exfiltrated the tunnel token to a compromised South Korean site. #VSCodeTunnel #DPRK
Keypoints
- Attackers used a JSE file masquerading as an HWPX document (Hangul) to lure South Korean targets, impersonating the Ministry of Personnel Management.
- The JSE script contained multiple Base64-encoded blobs, executed via Windows Script Host, and downloaded VS Code CLI ZIPs and code.exe into C:ProgramData.
- A VS Code tunnel named “bizeugene” was created and authorized via a generated GitHub device code, granting interactive access to the victim system through VS Code server functionality.
- The threat actor exfiltrated the tunnel token and related code to a compromised legitimate South Korean website (yespp[.]co[.]kr) used as a C2 endpoint.
- Use of legitimate, signed developer tooling (VS Code) and trusted infrastructure (Microsoft/GitHub) allowed stealthy, persistent access that can evade traditional malware-detection controls.
- Operational patterns (Hancom documents, government impersonation, prolonged remote access) align with previously observed DPRK-aligned activity, increasing confidence in state-aligned attribution.
MITRE Techniques
- [T1566.001 ] Phishing: Attachment – JSE file disguised as an HWPX decoy likely delivered via spear-phishing to targets (‘The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email.’)
- [T1059 ] Command and Scripting Interpreter – Windows Script Host executed the JSE script containing Base64 blobs and commands (‘The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host.’)
- [T1204.002 ] User Execution – The campaign relied on target interaction to open the decoy HWPX document and trigger script execution (‘The HWPX file … is opened as a decoy.’)
- [T1027 ] Obfuscated Files and Information – The script used Base64-encoded blobs to conceal payloads and actions (‘The JSE file contains multiple Base64-encoded blobs…’)
- [T1218 ] Signed Binary Proxy Execution – The actor used a legitimate, signed VS Code executable (code.exe) to run a tunnel and avoid detection (‘the script then downloads the VSCode CLI ZIP archives from Microsoft … along with code.exe (the legitimate VS Code executable)’)
- [T1105 ] Ingress Tool Transfer – VS Code binaries and other files were downloaded to C:ProgramData on the victim machine (‘the script then downloads the VSCode CLI ZIP archives … into C:ProgramData, along with code.exe … and a file named out.txt.’)
- [T1090 ] Proxy – VS Code tunnels created an encrypted connection through Microsoft’s tunnel service, allowing the attacker to proxy into the host (‘the remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service.’)
- [T1041 ] Exfiltration Over C2 Channel – Tunnel token and code were POSTed to a compromised South Korean website acting as C2 (‘this code, along with the tunnel token “bizeugene”, is sent in a POST request to hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php’)
Indicators of Compromise
- [IP Address ] compromised site IP – 115.68.110.73
- [File Hash ] malicious JSE/HWPX sample – 9fe43e08c8f446554340f972dac8a68c
- [File Name / Path ] decoy and artifacts on victim host – “2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse”, C:ProgramDatacode.exe, C:ProgramDataout.txt
- [Domain / URL ] C2 endpoint (compromised legitimate site) – hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php
- [Artifact / Identifier ] VS Code tunnel name/token – “bizeugene” (tunnel name and token exfiltrated in POST)