Kimsuky Group Deploys Advanced New Malware
TL;DR: The North Korean state-sponsored group Kimsuky is targeting South Korean military and corporate entities with new malware. The group is using a backdoor called HTTPSpy, another named HelloDoor, and is abusing Visual Studio Code Tunnels for command-and-control, demonstrating an evolution in their attack methods.
Key facts
- Category
- Cybersecurity
- Impact
- High
- Published
- Source
- The Hacker News
Full summary
North Korean state-sponsored hackers are using new malware and abusing VS Code Tunnels to target South Korean military and corporate entities.
North Korean state-sponsored actor Kimsuky has launched new cyber attacks against South Korean military and corporate organizations. The campaign uses sophisticated social engineering tactics, including fake security software installers and spoofed Webex meeting pages, to deceive targets. The primary goal is to deploy new malware for espionage and data theft. The group's updated toolkit includes a previously unknown backdoor named HTTPSpy, which establishes a covert communication channel using HTTPS. This allows the attackers to execute commands and exfiltrate data from compromised systems while blending in with normal web traffic.
Alongside HTTPSpy, Kimsuky is also using another backdoor called HelloDoor and, significantly, is abusing Visual Studio Code Tunnels. By leveraging the legitimate VS Code Tunnels feature, the attackers create a persistent and encrypted channel for command-and-control (C2) communications. This tactic is particularly concerning for developers and IT teams, as it turns a trusted development tool into a security risk. Abusing legitimate services like this makes malicious activity much harder to detect, as the traffic can be easily mistaken for normal developer work. This evolution in Kimsuky's methods demonstrates their continuous effort to refine their tools and bypass modern security defenses.
Why it matters
The use of a common developer tool (VS Code Tunnels) for malicious command-and-control is a significant development. It shows how threat actors are abusing legitimate services to hide their activity, making detection much harder for security teams.
Business impact
Organizations, especially those with development teams using VS Code, face an increased risk of stealthy network intrusion. The abuse of trusted tools can bypass traditional security measures, leading to undetected data exfiltration, espionage, and long-term network compromise.
Tags
Related on Notifire
Primary source: The Hacker News