Elizabeth Montalbano, Contributing Writer January 22, 2026 4 Min Read DD Images via Shutterstock A spear-phishing campaign by North Korean actors is abusing a legitimate feature of Microsoft Visual Studio (VS) Code to gain full remote control of targeted systems. In the campaign, discovered by researchers at Darktrace, South Korean targets receive government-themed phishing emails containing fake official documents, according to a report published today. The documents are JSE files disguised as a Hangul Word Processor (HWPX) documents that, once opened, quietly install MS VS Code and abuse a built-in tunneling feature to give attackers full remote control of the victim machine. This attack method effectively eliminates the need for attackers to set up command-and-control infrastructure or use malware in their attack chain, giving them a shortcut to attack that blends in with typical developer activity. DarkTrace says the activity — which almost exclusively uses living-off-the-land techniques (LotL) — appears to be the first time actors tied to the Democratic People's Republic of Korea (DPRK) have used this specific tactic, though others have used VS Code in malicious ways. "This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems," Tara Gould, Darktrace malware research lead, wrote in the blog post . "By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers." Historical Abuse of VS Code The campaign is not the first time attackers from North Korea have abused VS Code in attacks. In fact, just this week, researchers at Jamf unveiled that the actors behind North Korean "Contagious Interview" campaign are using VS Code to deliver a previously unseen backdoor that enables remote code execution (RCE) on developer systems without any user interaction. Moreover, security researchers first identified abuse of VS Code tunnels in 2023, and it's since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia. Indeed, VS Code abuse is a key component of this DPRK campaign, which starts when targets receive emails with lures related to selecting students for a graduate school program from what appears to be the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. "Based on the metadata within the documents, the threat actors appear to have taken the documents from the government's website and edited them to appear legitimate," Gould wrote. Establishing Remote Access With VS Code If one of the malicious files is opened, it executes a series of downloads that result in the establishment of a VS Code tunnel named "bizeugene" that allows attackers to connect to a remote computer and use VS Code. "The remote computer runs a VS Code server that creates an encrypted connection to Microsoft's tunnel service," Gould wrote. "A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft." Once the threat actor authorizes the tunnel from their GitHub account , the compromised system is connected via VS Code, which in turn gives the actor interactive access to the VS Code terminal and file browser. This allows them to retrieve payloads, exfiltrate data, and conduct other malicious activities. Fresh Take on Detection Required The LotL tactics used in the campaign would not typically be easy for defenders to detect, as they blend in with legitimate systems and processes used in a typical Microsoft-based environment, Gould said. "The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed," she wrote. This means that defenders need to be particularly attentive to detect suspicious activity , going beyond dependence on typical security controls focused on blocking known malware, "as the tools themselves are not inherently malicious and are often signed by legitimate vendors," Gould wrote. Experts have recommended that organizations apply the principle of least privilege to tools in their own environments, as well as using strong access controls and the monitoring of privileged behavior analytics , to help security teams analyze network traffic and access requests as one way to defend against advanced LotL tactics. To help organizations defend against the specific DPRK spear-phishing campaign, Gould included indicators of compromise (IoCs) in the blog post, including a key IP address associated with the threat actor, and other MITRE attack techniques. About the Author Elizabeth Montalbano, Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano, Contributing Writer