North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms
Summary:
In early 2025, Trellix Advanced Research Center uncovered a sophisticated espionage campaign targeting diplomatic missions in South Korea. Between March and July, DPRK-linked actors carried out at least 19 spear-phishing attacks against embassies worldwide, impersonating trusted diplomats and luring staff with convincing meeting invitations, official letters, and event announcements. The attackers relied on password-protected ZIP files delivered through Dropbox and Daum to conceal malicious LNK shortcuts that executed obfuscated PowerShell scripts. These scripts reached out to GitHub repositories and Dropbox payloads, ultimately deploying XenoRAT, a remote access trojan associated with the MoonPeak malware family. Once active, the malware collected detailed system information, exfiltrated data via GitHub’s API, and provided operators with full control over infected systems, enabling surveillance, credential theft, and persistent access.
A hallmark of the campaign was its highly refined social engineering. Trellix identified over 50 decoy documents in multiple languages, many timed to coincide with real diplomatic events such as EU political meetings, U.S. Independence Day celebrations, and Korea–Africa cooperation forums. These carefully localized lures greatly increased the likelihood of success. Infrastructure analysis revealed two GitHub accounts “blairity” and “landjhon” hosting repositories tied to specific phishing themes, along with VPS servers in Seoul and Korean cloud services, all consistent with known Kimsuky operations. Attribution strongly aligns with North Korea’s APT43, given the targeting, malware family, and infrastructure overlap.
Security Officer Comments:
What makes this operation especially notable is the professional setup and cadence of activity. The attackers maintained dedicated VMs, rotated infrastructure rapidly, and operated during standard business hours in the Asia region. Interestingly, pauses in activity aligned with Chinese national holidays rather than Korean ones, raising the possibility of DPRK operators based in China or even a joint effort leveraging Chinese resources. By abusing legitimate platforms like GitHub and Dropbox, the group blended their activity into normal internet traffic, complicating detection.
Suggested Corrections:
https://thehackernews.com/2025/08/north-korea-uses-github-in-diplomat.html
In early 2025, Trellix Advanced Research Center uncovered a sophisticated espionage campaign targeting diplomatic missions in South Korea. Between March and July, DPRK-linked actors carried out at least 19 spear-phishing attacks against embassies worldwide, impersonating trusted diplomats and luring staff with convincing meeting invitations, official letters, and event announcements. The attackers relied on password-protected ZIP files delivered through Dropbox and Daum to conceal malicious LNK shortcuts that executed obfuscated PowerShell scripts. These scripts reached out to GitHub repositories and Dropbox payloads, ultimately deploying XenoRAT, a remote access trojan associated with the MoonPeak malware family. Once active, the malware collected detailed system information, exfiltrated data via GitHub’s API, and provided operators with full control over infected systems, enabling surveillance, credential theft, and persistent access.
A hallmark of the campaign was its highly refined social engineering. Trellix identified over 50 decoy documents in multiple languages, many timed to coincide with real diplomatic events such as EU political meetings, U.S. Independence Day celebrations, and Korea–Africa cooperation forums. These carefully localized lures greatly increased the likelihood of success. Infrastructure analysis revealed two GitHub accounts “blairity” and “landjhon” hosting repositories tied to specific phishing themes, along with VPS servers in Seoul and Korean cloud services, all consistent with known Kimsuky operations. Attribution strongly aligns with North Korea’s APT43, given the targeting, malware family, and infrastructure overlap.
Security Officer Comments:
What makes this operation especially notable is the professional setup and cadence of activity. The attackers maintained dedicated VMs, rotated infrastructure rapidly, and operated during standard business hours in the Asia region. Interestingly, pauses in activity aligned with Chinese national holidays rather than Korean ones, raising the possibility of DPRK operators based in China or even a joint effort leveraging Chinese resources. By abusing legitimate platforms like GitHub and Dropbox, the group blended their activity into normal internet traffic, complicating detection.
Suggested Corrections:
- Strengthen authentication by requiring phishing-resistant MFA such as hardware security keys or certificate-based login, reducing the effectiveness of credential theft.
- Harden endpoint execution controls by blocking or restricting LNK file execution and monitoring PowerShell activity, especially scripts launched from email attachments or cloud downloads.
- Enhance cloud traffic visibility with monitoring tools to detect unusual use of GitHub, Dropbox, or Daum that could indicate covert command-and-control or data exfiltration.
- Deploy advanced email security measures capable of flagging spoofed diplomatic senders, malicious archives, and password-protected attachments designed to bypass detection.
- Conduct targeted awareness training for embassy and government staff to recognize spear-phishing lures that mimic real events, invitations, or official diplomatic correspondence.
https://thehackernews.com/2025/08/north-korea-uses-github-in-diplomat.html