Threat Actors May Abuse VS Code Extensions to Deploy Ransomware and Use GitHub as C2 Server

North Korean threat actors are evolving their attack strategies by leveraging developer-focused tools as infection vectors.

Recent security discoveries reveal that Kimsuky, a nation-state group operating since 2012, has been utilizing JavaScript-based malware to infiltrate systems and establish persistent command and control infrastructure.

The threat group traditionally focuses on espionage operations against government entities, think tanks, and subject matter experts, but this latest campaign demonstrates their expanding technical capabilities and supply chain targeting sophistication.

The attack chain begins with a simple yet effective delivery mechanism: a JavaScript file named Themes.js that serves as the initial dropper.

Unlike heavily obfuscated malware, this sample employs straightforward code wrapped in a try-catch block, prioritizing functionality over stealth.

The file initiates contact with an adversary-controlled infrastructure hosted on medianewsonline[.]com, a domain infrastructure service that allows threat actors to create subdomains for malicious purposes.

This infrastructure choice reflects the attacker’s understanding of legitimate hosting services that security systems often whitelist or overlook.

Pulsedive security researchers noted the sophistication of the multi-stage attack architecture during their analysis of the infection chain.

The malware operates through a cascading payload delivery system, where each stage downloads and executes subsequent components.

The initial JavaScript file sends a GET request to iuh234[.]medianewsonline[.]com/dwnkl.php, transmitting the compromised machine’s hostname and a hardcoded authentication key.

This reconnaissance phase allows attackers to identify high-value targets before deploying additional payloads to selected systems.

Dissecting the Infection Chain

The second stage represents the reconnaissance backbone of the campaign, collecting critical system information for further exploitation.

When the C2 server responds to the initial GET request, it delivers another JavaScript payload containing five functions that systematically enumerate the infected system’s environment.

The malware executes commands to gather system information, including hardware specifications and network configuration details.

It then retrieves a comprehensive list of all running processes, providing attackers with insight into installed security software and legitimate applications that might interfere with payload execution.

The reconnaissance phase also enumerates files within C:\Users directory, targeting user profiles and identifying potentially valuable data or configuration files.

Each command’s output gets packaged into cabinet (.cab) files and exfiltrated via POST requests to the same C2 server.

The malware demonstrates technical sophistication by modifying the HKCU\Console\CodePage registry key to UTF-8 encoding, ensuring proper text handling during data collection.

Temporary files are systematically deleted after exfiltration, implementing basic operational security practices that hinder forensic analysis.

Persistence mechanisms reveal the attackers’ commitment to long-term access.

The malware writes itself to %APPDATA%\Microsoft\Windows\Themes\Themes.js and creates a scheduled task named Windows Theme Manager that executes the JavaScript dropper every minute using wscript.exe.

This approach leverages legitimate Windows scheduling utilities to maintain command and control connectivity without requiring elevated privileges, making detection more difficult for defenders relying on privilege escalation alerts.

The campaign’s final stage introduces a Word document delivery component, potentially serving as a social engineering lure.

However, security researchers found the document remained empty without embedded macros, suggesting it may function as a placeholder or secondary infection vector for specific targets.

The complete infection chain demonstrates calculated malware engineering designed to evade traditional detection while establishing resilient persistence across multiple execution mechanisms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.