CYBER spies aligned with North Korea are weaponising a tool cherished by developers worldwide—Visual Studio Code—to infiltrate victim networks undetected, according to Darktrace. The campaign targets South Korean users, blending government-themed decoys with legitimate Microsoft infrastructure to bypass traditional security controls.
Victims are lured via spear-phishing emails containing a Javascript Encoded (JSE) script disguised as an HWPX document, with a decoy titled “Documents related to selection of students for the domestic graduate school master’s night program in the first half of 2026.” The attackers repurpose the VS Code collaboration feature as a covert command-and-control channel, enabling remote access through trusted Microsoft domains and avoiding dedicated C2 servers.
A compromised legitimate website coordinates the connection, with the malware sending a connection code and a tunnel token—”bizeugene”—to a hacked south Korean site yespp[.]co[.]kr, creating a bridge for control over the victim’s machine. The operation’s use of Hancom document formats and government impersonation aligns with patterns previously attributed to DPRK-aligned threat actors.