An undetected compromise through this campaign gives attackers persistent, covert access to internal systems, with C2 traffic hidden inside developer tools that security teams typically trust. The primary risks are intellectual property theft, credential harvesting, and lateral movement to sensitive systems — all of which can proceed for extended periods before detection. Organizations in defense, government, technology, and financial sectors operating in or with ties to Taiwan, South Korea, or Japan face the highest exposure.
You Are Affected If
SumatraPDF is installed on endpoints, particularly if obtained outside a verified software distribution channel
Microsoft VS Code is installed on endpoints where the VS Code tunnel feature is not explicitly disabled or blocked
Outbound HTTPS to github.com and VS Code tunnel relay domains (*.vscode-cdn.net, tunnels.api.visualstudio.com) is permitted without process-level inspection
Employees in or communicating with Taiwan, South Korea, or Japan are among the potential target population
Software installation policies permit users to execute applications from ZIP archives without hash verification
Board Talking Points
A state-linked threat group has upgraded its methods to hide malicious activity inside developer tools that most companies already trust and allow through their defenses.
Security teams should audit which systems run SumatraPDF and VS Code tunnel access within the next 48 hours and restrict both where there is no legitimate business need.
Without action, attackers could maintain undetected access to internal systems for weeks or months, with data theft and lateral movement as the likely outcomes.
