North Korea–aligned cyber spies are abusing Visual Studio Code tunnels to hide command-and-control traffic and maintain prolonged access to South Korean systems. The campaign uses spear-phishing JSE scripts disguised as Hangul documents that impersonate the Ministry of Personnel Management and coordinates via a compromised site (yespp[.]co[.]kr). #DPRK #VisualStudioCode
Keypoints
- DPRK-aligned actors repurpose VS Code tunnels as covert command-and-control channels.
- Initial access is gained through spear-phishing JSE scripts disguised as HWPX Hangul documents.
- Decoy documents impersonate the Ministry of Personnel Management using edited government content.
- Malicious traffic blends with legitimate Microsoft infrastructure, making detection difficult.
- The operation coordinates via a compromised South Korean site (yespp[.]co[.]kr) and uses a tunnel token (“bizeugene”).
Read More: https://securityonline.info/the-developers-backdoor-north-korea-weaponizes-visual-studio-code/