The Trellix Advanced Research Center exposed a DPRK-linked espionage operation attributed to the Kimsuky group (APT43), targeting diplomatic missions in South Korea.
Between March and July, at least 19 spear-phishing emails impersonated trusted diplomatic contacts, delivering malware via password-protected ZIP archives hosted on Dropbox and Daum.
These emails lured embassy staff with credible invitations to events like EU meetings, U.S. Independence Day celebrations, and military luncheons, often timed to coincide with real diplomatic activities.
The campaign abused GitHub as a command-and-control (C2) hub, enabling data exfiltration and payload retrieval over HTTPS to blend with legitimate traffic.
A variant of the XenoRAT remote access trojan provided attackers with full system control, including keystroke logging, screenshot capture, and file transfers, facilitating intelligence gathering from compromised systems.
Multi-Stage Infection Chain
The infection began with spear-phishing emails containing ZIP files that housed malicious Windows shortcuts (.LNK files) disguised as PDFs.
Upon execution, these triggered obfuscated PowerShell scripts that downloaded base64-encoded payloads from GitHub repositories, establishing persistence via scheduled tasks.
Reconnaissance scripts enumerated system details such as OS version, IP address, and running processes, exfiltrating data to GitHub via API uploads in base64-encoded files.
For C2, attackers used private repositories like those under accounts “blairity” and “landjhon” to host instructions in files like “onf.txt,” which directed victims to Dropbox-hosted XenoRAT payloads obfuscated with Confuser Core 1.6.0.
These payloads, loaded reflectively into memory after GZIP header manipulation a hallmark of North Korean operations ensured diskless execution.
Infrastructure analysis linked IPs like 158.247.230.196 to known Kimsuky servers, with activity patterns showing Monday-Friday operations in +08:00 timezone, correlating with Chinese holidays, suggesting operators based in China despite DPRK attribution.
Defensive Insights
Attribution points firmly to Kimsuky, with overlaps in tactics like thematic lures, Korean service usage, and XenoRAT variants matching prior campaigns.
However, operational pauses during Chinese holidays like Qingming Festival indicate possible Chinese support or basing.
According to the report, The campaign maps to MITRE ATT&CK techniques including T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell Execution), and T1567.002 (Exfiltration Over Web Service).
Trellix detections across products like Endpoint Security flag signatures such as LNK/Downloader.ZRD and XenoRAT/Packed.A.
The operation remains active, highlighting the need for enhanced email security, GitHub monitoring, and anomaly detection in diplomatic networks to counter such state-sponsored threats.
Key Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA256) | 1e10203174fb1fcfb47bb00cac2fe6ffe660660839b7a2f53d8c0892845b0029 | Diplomacy Journal ZIP |
| File Hash (SHA256) | cf2cba1859b2df4e927b8d52c630ce7ab6700babf9c7b4030f8243981b1a04fa | U.S. Embassy Invitation ZIP |
| IP:Port | 141.164.40.239:443 | XenoRAT C2 |
| URL | https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?… | Payload URL |
| [email protected] | U.S. Embassy lure sender |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
