A sophisticated espionage campaign targeting diplomatic missions in South Korea has exposed the evolving tactics of North Korean state-sponsored hackers.
Between March and July 2025, threat actors linked to the notorious Kimsuky group conducted at least 19 spear-phishing attacks against embassies worldwide, demonstrating an alarming escalation in their operational sophistication and targeting scope.
The campaign represents a significant evolution in North Korean cyber operations, as attackers exploited legitimate platforms like GitHub as covert command-and-control infrastructure while deploying XenoRAT malware to maintain persistent access to diplomatic networks.
The operation targeted embassy personnel across Western, Central, Eastern, and Southern European diplomatic missions stationed in Seoul, indicating a coordinated intelligence-gathering effort with broad geopolitical implications.
Trellix researchers identified the campaign through comprehensive analysis of the attack infrastructure and malware samples.
The investigation revealed that the threat actors created at least two GitHub accounts, “blairity” and “landjhon,” operating multiple private repositories with innocuous names such as “europa,” “gulthe,” and “themorning.”
These repositories served as multifunctional platforms for hosting decoy documents, managing PowerShell scripts, and collecting exfiltrated intelligence data.
.webp "North Korean Kimsuky Hackers Leveraged GitHub to Attack Foreign Embassies with XenoRAT Malware 3")
The attackers demonstrated remarkable attention to detail in their social engineering efforts, crafting 54 unique PDF decoy documents spanning multiple languages including Korean, English, Persian, Arabic, French, and Russian.
These lures impersonated legitimate diplomatic correspondence, conference invitations, and official embassy communications.
One particularly sophisticated example involved a fake invitation to the “Founding Assembly of the Inter-Parliamentary Speakers’ Conference,” complete with realistic diplomatic formatting and terminology that would appeal to embassy staff.
Advanced Infection Chain and Persistence Mechanisms
The XenoRAT deployment process showcases advanced evasion techniques designed to bypass traditional security controls.
The infection chain begins with password-protected ZIP archives containing malicious LNK files disguised with PDF icons and double extensions like “Urgent Letter from the Ambassador.pdf.lnk.”
.webp "North Korean Kimsuky Hackers Leveraged GitHub to Attack Foreign Embassies with XenoRAT Malware 4")
Upon execution, these shortcuts trigger obfuscated PowerShell commands that establish the initial foothold.
The malware employs a sophisticated GZIP header manipulation technique consistently observed across North Korean operations.
The PowerShell script systematically overwrites the first seven bytes of downloaded payloads with the proper GZIP magic sequence (0x1F8B08…) before decompression, as demonstrated in this code pattern:
$bytes = [System.IO.File]::ReadAllBytes($path)
$bytes[0] = 0x1F; $bytes[1] = 0x8B; $bytes[2] = 0x08
[System.IO.File]::WriteAllBytes($path, $bytes)The final XenoRAT payload, obfuscated using Confuser Core 1.6.0, executes entirely in memory through .NET reflection, ensuring no executable files touch the disk.
The malware establishes persistence via scheduled tasks while providing comprehensive system control through keystroke logging, screenshot capture, and remote shell capabilities.
Data exfiltration occurs through GitHub API uploads using hardcoded personal access tokens, with stolen information formatted in timestamped filenames and base64-encoded before transmission.
This campaign underscores the increasing sophistication of North Korean cyber operations and their willingness to abuse trusted platforms for espionage activities, presenting significant challenges for diplomatic security worldwide.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
