Kimsuky APT Campaign: Detecting HelloDoor Backdoor and VS Code Tunnel Abuse

Introduction

The North Korean state-sponsored threat actor Kimsuky (aka Velvet Chollima) has launched a fresh wave of cyber operations targeting South Korean military and corporate entities throughout March and April 2026. This campaign signals a concerning evolution in their tactics, techniques, and procedures (TTPs). Kimsuky has expanded their arsenal to include custom malware like HTTPSpy and HelloDoor, coupled with the abuse of Visual Studio Code (VS Code) Tunnels for command and control (C2).

Defenders must act with urgency. The use of VS Code Tunnels is particularly insidious as it allows the adversary to blend in with legitimate developer traffic, bypassing traditional network egress controls. This post details the attack mechanics and provides actionable detection logic to hunt for these specific threats in your environment.

Technical Analysis

Threat Actor Profile

• Actor: Kimsuky (APT37, Velvet Chollima)
• Target: South Korean military, corporate sectors, and think tanks.
• Goal: Intelligence gathering, persistent access, and data exfiltration.

Tools and Malware

1. HTTPSpy: A tailored malware likely designed for HTTP-based data exfiltration and C2 communication, mimicking legitimate web traffic.
2. HelloDoor: A backdoor component providing the attacker with remote access capabilities, likely used for initial foothold establishment and lateral movement.
3. VS Code Tunnels: Kimsuky is abusing the code tunnel feature in Visual Studio Code. This creates a secure tunnel from the victim's machine to the public internet, allowing the attacker to access the internal network via standard HTTPS protocols (*.tunnel.rel, vscode.dev). This effectively neutralizes perimeter firewall defenses that rely on blocking unknown IP addresses.

Attack Chain

1. Initial Access: Social engineering campaigns involving spoofed security software installation pages and fake Webex meeting portals.
2. Execution: The user is tricked into downloading and executing a malicious payload (likely HelloDoor).
3. C2 Establishment: The malware deploys or leverages VS Code Tunnels to maintain a reverse connection to Kimsuky infrastructure.
4. Objectives: Execution of reconnaissance commands and data exfiltration via HTTPSpy.

Exploitation Status

• Status: Confirmed Active Exploitation (In-the-Wild).
• CVE: While specific zero-days were not cited, the abuse of VS Code Tunnels represents a "Living off the Land" (LotL) technique exploitation.

Detection & Response

Sigma Rules

The following Sigma rules detect the abuse of VS Code Tunnels and the specific execution of the HelloDoor and HTTPSpy payloads based on the reported TTPs.

---
title: Potential VS Code Tunnel Usage - Kimsuky Activity
id: 9c8e7d6f-5a4b-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Detects the execution of Visual Studio Code with the 'tunnel' argument, a technique recently abused by Kimsuky for C2 to bypass firewall controls.
references:
  - https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\code.exe'
      - '\Code.exe'
    CommandLine|contains: 'tunnel'
  condition: selection
falsepositives:
  - Legitimate developer usage of VS Code Port Forwarding/Tunneling
level: medium
---
title: Kimsuky HelloDoor/HTTPSpy Payload Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects execution of known Kimsuky payloads HelloDoor or HTTPSpy based on process names or suspicious parent processes from spoofed Webex installers.
references:
  - https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\HelloDoor.exe'
      - '\HTTPSpy.exe'
  selection_cmd:
    CommandLine|contains:
      - 'HelloDoor'
      - 'HTTPSpy'
  selection_parent:
    ParentImage|contains:
      - '\Webex.exe'
      - '\Teams.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\msiexec.exe'
  condition: 1 of selection*
falsepositives:
  - Unknown
level: high

KQL (Microsoft Sentinel / Defender)

// Hunt for VS Code Tunnel usage and suspicious parent processes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName =~ "Code.exe" and ProcessCommandLine has "tunnel") 
   or (FileName in~ ("HelloDoor.exe", "HTTPSpy.exe"))
   or (InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe") and FileName in~ ("powershell.exe", "cmd.exe", "msiexec.exe") and ProcessCommandLine has_any ("Webex", "Security"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

-- Hunt for VS Code processes and suspicious payload execution
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "Code.exe" 
   AND CommandLine =~ "tunnel"
   OR Name =~ "HelloDoor"
   OR Name =~ "HTTPSpy"

Remediation Script (PowerShell)

This script checks for the presence of active VS Code tunnels and suspicious file artifacts associated with the Kimsuky campaign.

# Check for VS Code Tunnel Processes
$tunnelProcesses = Get-Process | Where-Object { $_.ProcessName -eq "Code" -and $_.MainWindowTitle -like "*tunnel*" }

if ($tunnelProcesses) {
    Write-Host "[WARNING] VS Code Tunnel processes detected:" -ForegroundColor Red
    $tunnelProcesses | Format-List Id, ProcessName, Path
} else {
    Write-Host "[INFO] No active VS Code tunnel processes found." -ForegroundColor Green
}

# Check for Kimsuky Artifacts (HelloDoor/HTTPSpy) in common temp/user directories
$suspiciousFiles = @("HelloDoor.exe", "HTTPSpy.exe")
$userPaths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData\Local\Temp", "$env:APPDATA")

foreach ($path in $userPaths) {
    if (Test-Path $path) {
        Write-Host "[SCAN] Scanning $path for malicious artifacts..."
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $suspiciousFiles -contains $_.Name } | 
        ForEach-Object {
            Write-Host "[MALWARE] Found suspicious file: $($_.FullName)" -ForegroundColor Red
            # Optional: Quarantine logic would go here
        }
    }
}

Remediation

1. Network Segmentation & Filtering:

   • Block VS Code Tunnel Domains: If your organization does not require VS Code Port Forwarding or Tunnels for development, block the following domains at your perimeter firewall and proxy:
     • *.tunnel.rel.cs.visualstudio.com
     • *.vscode.dev
     • *.vscode-cdn.net
   • Inspect SSL/TLS: Ensure your egress proxy performs SSL inspection (with proper certificate deployment) to detect anomalous traffic patterns even on allowed domains.

2. Endpoint Controls:

   • Restrict the execution of code.exe to only approved developer workstations using Application Whitelisting (AppLocker or Windows Defender Application Control).
   • Investigate any systems flagged by the detection rules above immediately.

3. User Awareness:

   • Alert users to the specific social engineering campaign involving fake Webex meeting pages and spoofed security software installers. Remind them to verify URLs directly with the vendor or internal IT before executing software.

4. Incident Response:

   • If HelloDoor or HTTPSpy is confirmed, assume credential theft and reset credentials for the affected account and associated service accounts.
   • Perform a thorough review of network logs for data exfiltration indicators during the timeframe of the infection.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub