Kimsuky Deploys HTTPSpy and New Tunnels, Targeting South Korean Military and Corporate Entities
What Happened – North‑Korean APT group Kimsuky (aka Velvet Chollima) leveraged a custom tool called HTTPSpy, added the “HelloDoor” backdoor and abused Visual Studio Code tunneling to infiltrate South Korean military networks and high‑value corporations during March‑April 2026. The campaign relied on spoofed security‑software install pages and a fake Webex meeting to deliver the payloads.
Why It Matters for TPRM –
- State‑sponsored espionage tools can be introduced via third‑party SaaS or remote‑access services, expanding the attack surface of any vendor that hosts or integrates such services.
- Successful compromise of a defense or critical‑industry partner can expose sensitive intellectual property and operational data, creating downstream risk for their customers.
- The use of legitimate development tools (VS Code tunnels) makes detection harder, underscoring the need for strict monitoring of remote‑access channels.
Who Is Affected – Defense & government agencies, large South Korean enterprises, and any third‑party vendors that provide remote‑access, cloud, or development‑tool services to these organizations.
Recommended Actions –
- Review all third‑party relationships that enable remote‑desktop or tunneling capabilities (e.g., VS Code Live Share, remote‑access SaaS).
- Enforce strict MFA and least‑privilege for any accounts that can initiate tunnels or install software.
- Deploy network‑level detection for anomalous HTTP tunneling and unknown outbound connections to known C2 infrastructure.
Technical Notes – Attack vector: sophisticated phishing (spoofed security‑software pages, fake Webex invites). Tools: HTTPSpy (custom HTTP proxy for data exfiltration), HelloDoor (persistent backdoor), VS Code tunneling (legitimate dev tool abused for covert channel). Data types targeted: credential stores, internal documents, operational plans. Source: The Hacker News