Kimsuky Deploys HTTPSpy and HelloDoor via VS Code Dev Tunnels

The APT group known as Kimsuky, also identified as Velvet Chollima, has significantly expanded its operational capabilities through the deployment of new malware strains dubbed HTTPSpy and HelloDoor. Recent activity observed throughout March and April 2026 indicates a targeted effort against South Korean military and corporate organizations. According to The Hacker News, these attacks are characterized by highly tailored social engineering tactics designed to bypass traditional perimeter security.

The campaign demonstrates the group’s evolution in C2 infrastructure management, specifically through the abuse of legitimate developer tools. By integrating Visual Studio Code (VS Code) Dev Tunnels into their workflow, the actors can mask malicious traffic within encrypted, trusted channels, making detection by standard network monitoring tools increasingly difficult.

Technical Analysis of HTTPSpy and HelloDoor

The introduction of HTTPSpy marks a shift toward more specialized data exfiltration tools. This malware is specifically designed to monitor and intercept HTTP/HTTPS traffic on the infected host, allowing the threat actor to harvest sensitive credentials and session tokens. Unlike generic infostealers, HTTPSpy appears to be custom-built for long-term surveillance within high-value environments.

Alongside HTTPSpy, the group has deployed HelloDoor, a backdoor that facilitates persistent access and Lateral Movement. HelloDoor provides the attackers with a command-line interface to the compromised system, enabling them to execute arbitrary commands, upload additional payloads, and further explore the victim’s internal network. This TTP allows the adversary to maintain a foothold even if the initial entry point is remediated.

How to Detect VS Code Dev Tunnels Exploitation

A standout feature of this campaign is the use of VS Code Dev Tunnels for command-and-control communication. This technique allows attackers to create a secure tunnel from the victim’s machine to a remote endpoint controlled by the actor. Because the traffic is directed toward legitimate Microsoft domains, many organizations may not flag this activity as suspicious.

To counter this, security teams must monitor for unusual processes spawning code.exe or code-tunnel.exe with command-line arguments that initiate tunneling. Investigating network connections to *.tunnels.api.visualstudio.com and *.devtunnels.ms from non-developer workstations is a primary IoC that SOC analysts should prioritize. Integrating these patterns into a SIEM can help identify unauthorized tunneling implementations early in the attack lifecycle.

Social Engineering and Initial Access Tactics

The Kimsuky South Korean military targets were primarily reached through sophisticated Phishing and spoofing campaigns. The attackers developed highly convincing replicas of security software installation pages, preying on the security-conscious nature of their targets. When users attempted to download what they believed were necessary security updates, they instead executed the initial stage of the Kimsuky infection chain.

Furthermore, the group utilized a fake Cisco Webex meeting page. By mimicking a common collaboration tool, the actors exploited the shift toward remote and hybrid work environments. These pages were used to deliver malicious payloads under the guise of meeting plugins or software updates, effectively bypassing user skepticism through the use of familiar branding and urgent messaging.

Recommendations and Mitigation Strategies

Defending against Kimsuky HTTPSpy malware analysis and similar threats requires a multi-layered approach that combines technical controls with user awareness. Organizations should adopt a Zero Trust architecture to limit the potential for lateral movement if an initial compromise occurs.

• Endpoint Protection: Ensure that EDR solutions are configured to detect and block the execution of unauthorized tunneling software. Specifically, monitor for the ‘Dev Tunnels’ feature of VS Code in environments where it is not required for business operations.
• Network Filtering: Implement strict egress filtering. Block or alert on outbound connections to known tunneling services unless they are explicitly whitelisted for specific developer roles.
• User Training: Conduct targeted training on the dangers of spoofed collaboration platforms and third-party security software downloads. Employees should be encouraged to verify the source of all software installers through official internal channels.
• Framework Alignment: Map observed behaviors to the MITRE ATT&CK framework to identify gaps in current detection capabilities. Focus on techniques related to T1567 (Exfiltration Over Web Service) and T1572 (Protocol Tunneling).

By focusing on these areas, defenders can better protect their environments from the sophisticated and evolving arsenal deployed by North Korean state-sponsored actors.