HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Kimsuky Deploys HTTPSpy and VS Code Tunnels to Target South Korean Military and Corporates

North‑Korean APT Kimsuky used a custom HTTP proxy (HTTPSpy), the HelloDoor backdoor, and abused Visual Studio Code tunneling to infiltrate South Korean defense and corporate networks in early 2026, highlighting supply‑chain and remote‑access risks for third‑party vendors.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Kimsuky Deploys HTTPSpy and New Tunnels, Targeting South Korean Military and Corporate Entities

What Happened – North‑Korean APT group Kimsuky (aka Velvet Chollima) leveraged a custom tool called HTTPSpy, added the “HelloDoor” backdoor and abused Visual Studio Code tunneling to infiltrate South Korean military networks and high‑value corporations during March‑April 2026. The campaign relied on spoofed security‑software install pages and a fake Webex meeting to deliver the payloads.

Why It Matters for TPRM

  • State‑sponsored espionage tools can be introduced via third‑party SaaS or remote‑access services, expanding the attack surface of any vendor that hosts or integrates such services.
  • Successful compromise of a defense or critical‑industry partner can expose sensitive intellectual property and operational data, creating downstream risk for their customers.
  • The use of legitimate development tools (VS Code tunnels) makes detection harder, underscoring the need for strict monitoring of remote‑access channels.

Who Is Affected – Defense & government agencies, large South Korean enterprises, and any third‑party vendors that provide remote‑access, cloud, or development‑tool services to these organizations.

Recommended Actions

  • Review all third‑party relationships that enable remote‑desktop or tunneling capabilities (e.g., VS Code Live Share, remote‑access SaaS).
  • Enforce strict MFA and least‑privilege for any accounts that can initiate tunnels or install software.
  • Deploy network‑level detection for anomalous HTTP tunneling and unknown outbound connections to known C2 infrastructure.

Technical Notes – Attack vector: sophisticated phishing (spoofed security‑software pages, fake Webex invites). Tools: HTTPSpy (custom HTTP proxy for data exfiltration), HelloDoor (persistent backdoor), VS Code tunneling (legitimate dev tool abused for covert channel). Data types targeted: credential stores, internal documents, operational plans. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →