Kimsuky, a North Korean state-sponsored threat actor also tracked as Velvet Chollima, launched a new campaign targeting South Korean military and corporate networks through March and April 2026. The group deployed HTTPSpy, a custom tool, alongside HelloDoor and VS Code Tunnels to establish persistent access and exfiltrate sensitive data.

The attack chain relied on social engineering to breach defenses. Kimsuky crafted spoofed security software installation pages and fake Webex meeting interfaces to trick users into executing malicious code. These deception tactics bypass email filters and user awareness training by masquerading as legitimate productivity tools and security patches.

HTTPSpy functions as a data exfiltration utility designed to extract files and communications from compromised systems. The tool operates covertly over HTTPS channels to evade detection by network monitoring solutions. HelloDoor and VS Code Tunnels extend the group's capability for remote code execution and lateral movement. VS Code Tunnels, a legitimate Microsoft development tool, allows attackers to tunnel traffic through encrypted channels, making command-and-control communications appear benign to network defenders.

This expansion of Kimsuky's toolkit reflects a broader trend among state-sponsored actors to weaponize legitimate development and productivity platforms. South Korean military and industrial networks remain priority targets for North Korean intelligence operations seeking to acquire weapons system specifications, defense technologies, and proprietary manufacturing data.

Organizations targeted by Kimsuky should implement conditional access controls restricting VS Code Tunnels usage on corporate networks. Endpoint detection solutions should monitor for suspicious HTTPS traffic patterns and flag tunneling application abuse. Employee security awareness training must emphasize verification of software sources and meeting invitations through out-of-band channels.

The campaign underscores persistent risk from North Korean threat actors. South Korean entities and multinational corporations maintaining operations in the region should assume Kimsuky