Kimsuky turns Webex and Visual Studio Code tunnels into a South Korea trap
The Kimsuky campaign trail through fake meetings and legitimate tooling.📷 AI-generated image / TECH&SPACE
- ★Kimsuky has been linked to attacks against South Korean military and corporate targets during March and April 2026.
- ★The lures include spoofed security software installation pages and a fake Webex meeting page.
- ★HTTPSpy, HelloDoor and VS Code Tunnels appear as parts of the group’s expanded operational toolkit.
The Hacker News reports that the North Korean state-sponsored threat actor Kimsuky, also known as Velvet Chollima, has been attributed to a fresh set of cyberattacks against South Korean military and corporate entities through March and April 2026. That timeframe and target profile make this more than a loose phishing wave. It reads as an operation aimed at organizations sitting inside South Korea’s security and business perimeter.
The central point is not only the tool list, but the entry method. According to the supplied report, Kimsuky used tailored social engineering tactics, including spoofed security software installation pages and a fake Webex meeting page. That kind of lure attacks routine. If a user expects a security installer or a meeting link, the attacker starts with credibility before any technical payload has to prove itself.
The expanded arsenal includes HTTPSpy, HelloDoor and Visual Studio Code Tunnels. The last item matters because tunneling through legitimate developer infrastructure can blur the line between normal remote work and covert access. For defenders, that changes the investigation. It is not enough to hunt only for unknown binaries; teams also have to ask why familiar tools appear in the wrong context, from the wrong machine, or toward the wrong destination.
The North Korean group Velvet Chollima targeted South Korean military and corporate entities with spoofed installer pages and a fake Webex meeting lure.
A forensic close-up of the lure linking fake Webex and an unexpected tunnel.📷 AI-generated image / TECH&SPACE
Kimsuky has long been tracked in security knowledge bases as a group associated with North Korean interests; MITRE ATT&CK lists it as G0094. But this campaign highlights the part defenders usually find more difficult than attribution: an actor does not need a spectacular new technique if it can combine a believable lure, a legitimate service and a tool the organization cannot confidently separate from normal work.
For South Korean military and corporate targets, response has to move beyond a simple list of compromised files. Review should cover suspicious security-software installation flows, meeting pages that imitate expected collaboration behavior, unexpected VS Code tunnel sessions and web telemetry tied to HTTPSpy activity. In practice, the best signal may be a sequence of small anomalies: a user lands on a spoofed security page, a channel opens that looks acceptable at first glance, and then behavior appears that has no business reason to exist.
There is no need to inflate the story. The campaign matters because it shows disciplined abuse of trust, not because it introduces a magical new category of intrusion. Organizations that already depend on collaboration platforms, remote development tools and controlled software deployment need to treat those same systems as part of the attack surface. Kimsuky’s advantage here is the uncomfortable one: the more legitimate a tool looks, the harder it can be to reject as an obvious anomaly.
