Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: vs-code-tunnels (1 article)Clear

Kimsuky (Velvet Chollima) targets South Korean military and corporate orgs with HTTPSpy, HelloDoor, and VS Code Tunnels backdoor

ENKI has attributed fresh attacks on South Korean military and corporate entities through March-April 2026 to the North Korean state-sponsored Kimsuky group (also Velvet Chollima). The actor spoofs security-software installation pages (nProtect Online Security and AhnLab Safe Transaction) to deliver nos-setup.exe and astx-setup.exe, which launch a MemLoader.dll payload via regsvr32.exe and establish persistence through scheduled tasks. A separate April campaign used a fake Cisco Webex page that prompted victims to run a script 'to fix camera access,' delivering an encrypted ZIP archive. Kimsuky's expanded toolset now includes the HTTPSpy variant, HelloDoor backdoor, and abuse of VS Code remote tunnels for C2.

Check
Hunt Windows endpoints for nos-setup.exe, astx-setup.exe, and MemLoader.dll loaded via regsvr32.exe. Audit scheduled tasks for unfamiliar persistence. Block VS Code Tunnels at egress where not needed.
Affected
South Korean military and corporate organizations - Kimsuky's primary targets. Messaging administrators were specifically singled out via spoofed B2B messaging-service installation pages.
Fix
Block known Kimsuky C2 and HTTPSpy IoCs published by ENKI. Restrict VS Code remote tunnels to allowlisted developer accounts. Train staff against fake security-software install prompts.