Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

2026-01-21 • Darktrace •

https://www.darktrace.com/blog/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access

#JSE #VSCode #T1090 #T1041 #T1027 #T1204.002 #T1566.001 #T1059 #T1105 #T1218

Thumbnail for Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Darktrace observed a South Korea-focused campaign aligned with DPRK activity that used a JSE file disguised as an HWPX document and government-themed decoys impersonating the Ministry of Personnel Management. The script ran through Windows Script Host, unpacked Base64-encoded content, downloaded legitimate VS Code components into C:\ProgramData, and launched a hidden VS Code tunnel named “bizeugene” for interactive remote access. The generated device code and tunnel token were posted to a compromised South Korean site at yespp.co.kr, with the report listing 115.68.110.73 and an MD5 for the disguised HWPX/JSE sample as IOCs. The activity matters because it shows DPRK-aligned operators abusing trusted developer tooling and Microsoft tunnel infrastructure to reduce malware visibility while enabling payload retrieval and data exfiltration.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	https://www.yespp.co.kr/common/…	2026-01-21	2026-05-15
IPv4	115.68.110.73	2026-01-21	2026-01-21

Related Reports

2026-05-14 • 49% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tags: JSE, VSCode, T1041 • Shares 1 IOC

2026-01-13 • 40% Match

APT PROFILE – KIMSUKI

Cyfirma

#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596

Shares tags: T1041, T1027, T1204.002 • Published within a month

2026-01-23 • 32% Match

Hunting Lazarus Part II: When the Dead Drop Moved to the Blockchain

Red Asgard

#Lazarus #VSCode #T1041 #T1555 #T1059.007 #T1204.002 #T1566.003 #T1102.001

Shares tags: VSCode, T1041, T1204.002 • Published within a week

2026-05-15 • 29% Match

1분기 DPRK Operation Kimsuky 분석

Logpresso

#Kimsuky #Phishing #LNK #GitHub #VSCode

Shares tag: VSCode • Shares 1 IOC

2025-08-13 • 29% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: T1041, T1027, T1204.002

2025-07-28 • 29% Match

TraderTraitor: Deep Dive

Wiz

#TraderTraitor #JumpCloud #NPM #DMM #Bybit #T1082 #T1041 #T1555 #T1071.001 #T1195.002 #T1059.006 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1566.001 #T1059 #T1199 #T1105 #T1553.002 #T1552.004 #T1195.001 #T1078 #T1087.004 #T1580 #T1578.005 #T1588.003 #T1550.004 #T1609

Shares tags: T1041, T1027, T1204.002

« Back