North Korean Kimsuky Hackers Use GitHub to Target Foreign Embassies with XenoRAT Malware

The Trellix Advanced Research Center exposed a DPRK-linked espionage operation attributed to the Kimsuky group (APT43), targeting diplomatic missions in South Korea.

Between March and July, at least 19 spear-phishing emails impersonated trusted diplomatic contacts, delivering malware via password-protected ZIP archives hosted on Dropbox and Daum.

These emails lured embassy staff with credible invitations to events like EU meetings, U.S. Independence Day celebrations, and military luncheons, often timed to coincide with real diplomatic activities.

The campaign abused GitHub as a command-and-control (C2) hub, enabling data exfiltration and payload retrieval over HTTPS to blend with legitimate traffic.

A variant of the XenoRAT remote access trojan provided attackers with full system control, including keystroke logging, screenshot capture, and file transfers, facilitating intelligence gathering from compromised systems.

Multi-Stage Infection Chain

The infection began with spear-phishing emails containing ZIP files that housed malicious Windows shortcuts (.LNK files) disguised as PDFs ...