North Korean hackers are using a clever new trick to break into South Korean systems by exploiting Microsoft Visual Studio Code's legitimate tunneling feature. Darktrace researchers discovered the spear-phishing campaign targeting South Koreans with fake government emails about graduate school programs.
The malicious documents, disguised as official files, secretly install VS Code and create a tunnel called "bizeugene" that gives attackers full remote access. This method bypasses traditional security measures since it uses trusted Microsoft infrastructure instead of suspicious command-and-control servers.
The attack represents a shift toward "living-off-the-land" tactics, where hackers abuse legitimate tools rather than custom malware, making detection extremely difficult for security teams.
Source: Dark Reading