Kimsuky Expands Arsenal with HTTPSpy, HelloDoor, and VS Code Tunnels

Emily Davis · 2026-05-29

### The New Wave of Kimsuky Attacks The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been linked to a fresh wave of cyber attacks targeting South Korean military and corporate entities between March and April 2026. This group is known for its persistent and sophisticated social engineering tactics, and this campaign is no different. Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged legitimate-looking domains to trick victims. These attacks are a reminder that even trusted tools can be weaponized against us. ### Understanding the New Tools In this campaign, Kimsuky deployed a new malware called HTTPSpy, which is designed to steal sensitive data from compromised systems. They also expanded their toolkit with HelloDoor, a backdoor that allows remote access, and used VS Code Tunnels to maintain persistence and exfiltrate data. This combination of tools shows how adaptable and resourceful this group has become. Here's a quick breakdown of what each tool does: - **HTTPSpy**: A spyware that captures keystrokes, screenshots, and other data from infected machines. - **HelloDoor**: A backdoor that gives attackers remote control over the system. - **VS Code Tunnels**: A legitimate feature of Visual Studio Code that Kimsuky abused to create hidden communication channels.  ### Why This Matters for Your Security These attacks highlight a growing trend: threat actors are increasingly using legitimate software features to hide their activities. VS Code Tunnels, for example, are meant for developers to collaborate remotely, but Kimsuky used them to bypass traditional security measures. This means you can no longer rely solely on antivirus software to catch these threats. > "The use of VS Code Tunnels is particularly concerning because it leverages a trusted tool, making it harder for security teams to detect malicious activity."  ### How to Protect Yourself So, what can you do to stay safe? Start by being cautious about unsolicited emails and messages, even if they seem legitimate. Kimsuky often uses spear-phishing to gain initial access. Also, keep your software updated and monitor for unusual network activity, especially if you see unexpected VS Code Tunnel connections. Another key step is to implement strong access controls and use multi-factor authentication wherever possible. This won't stop every attack, but it makes it much harder for attackers to move laterally once they're inside your network. ### The Bigger Picture This campaign is a stark reminder that cyber threats are constantly evolving. Kimsuky is just one of many state-sponsored groups that are investing heavily in new techniques and tools. As a professional in the antidetect browser space, you need to stay informed about these developments to protect your clients and yourself. Remember, security isn't just about the tools you use—it's about the habits you build. Stay vigilant, question everything, and never assume you're safe just because you have the latest software installed.