· Threat Intelligence · 5 min read
North Korea Hits Diplomats with GitHub-Based Attacks
North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025.
The activity manifested as at least 19 spear-phishing emails that impersonated trusted diplomatic contacts. The goal was to lure embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations.
GitHub as a Covert C2 Channel
“The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel,” Trellix researchers Pham Duy Phuc and Alex Lanstein said.
The infection chains relied on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation. These services were used to deliver a variant of an open-source remote access trojan called Xeno RAT, which grants the threat actors control of compromised systems.
The campaign is assessed to be the work of Kimsuky, a North Korean hacking group. According to recent cybersecurity research, the group was also recently linked to phishing attacks that employ GitHub as a stager for a Xeno RAT variant known as MoonPeak. Despite the infrastructure and tactical overlaps, some indications suggest the phishing attacks match China-based operatives.
A Web of Deception
The email messages, per Trellix, are carefully crafted to appear legitimate, often spoofing real diplomats or officials to entice recipients into opening password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum. The messages are written in Korean, English, Persian, Arabic, French, and Russian.
“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence,” Trellix noted. “Many emails included official signatures, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings).”
“The attackers impersonated trusted entities (embassies, ministries, international organizations), a long-running Kimsuky tactic. By strategically timing lures alongside real diplomatic happenings, they enhanced the credibility.”
The ZIP archive contains a Windows shortcut (LNK) file masquerading as a PDF document. Launching it executes PowerShell code that runs an embedded payload, which then reaches out to GitHub for the next-stage malware and establishes persistence through scheduled tasks. In parallel, a decoy document is displayed to the victims.
The script is also designed to harvest system information and exfiltrate the details to an attacker-controlled private GitHub repository. Simultaneously, it retrieves additional payloads by parsing the contents of a text file (“onf.txt”) in the repository to extract the Dropbox URL hosting the MoonPeak trojan.
“By simply updating onf.txt in the repository (pointing to a new Dropbox file), the operators could rotate payloads to infected machines,” Trellix explained.
“They also practiced ‘rapid’ infrastructure rotation: log data suggests that the ofx.txt payload was updated multiple times in an hour to deploy malware and to remove traces after use. This rapid update cycle, combined with the use of cloud infrastructure, helped the malicious activities fly under the radar.”
The Chinese Connection
Interestingly, the cybersecurity company’s time-based analysis of the attackers’ activity found it to be largely originating from a timezone consistent with China, with a smaller proportion aligning with that of the Koreas. To add to the intrigue, a “perfect 3-day pause” was observed coinciding with Chinese national holidays in early April 2025, but not during North or South Korean holidays.
This has raised the possibility that the campaign, mirroring Chinese operational cadence while operating with motives that align with North Korea, is likely the result of:
- North Korean operatives working from Chinese territory
- A Chinese APT operation mimicking Kimsuky techniques, or
- A collaborative effort leveraging Chinese resources for North Korean intelligence-gathering efforts
With North Korean cyber actors frequently stationed in China and Russia, a tactic that aligns with the well-documented remote information technology (IT) worker fraud scheme, Trellix stated with medium-confidence that the operators are operating from China or are culturally Chinese.
“The use of Korean services and infrastructure was likely intentional to blend into the South Korean network,” Trellix said. “It’s a known Kimsuky trait to operate out of Chinese and Russian IP space while targeting South Korea, often using Korean services to mask their traffic as legitimate.”
N. Korea IT Worker Scheme Infiltrates Hundreds of Companies
This disclosure comes as CrowdStrike revealed that it has identified more than 320 incidents over the past 12 months where North Koreans posing as remote IT workers have infiltrated companies to generate illicit revenue for the regime, a 220% jump from last year.
The IT worker scheme, tracked as Famous Chollima and Jasper Sleet, is believed to use generative artificial intelligence (GenAI) coding assistants like Microsoft Copilot or VSCodium and translation tools to help with daily tasks and respond to instant messages and emails. They are also likely to work three or four jobs simultaneously.
A crucial component of these operations involves recruiting people to run laptop farms, which include racks of corporate laptops used by the North Koreans to remotely perform their work using tools like AnyDesk, making it appear as if they were physically located in the country where the companies are based.
“Famous Chollima IT workers use GenAI to create attractive résumés for companies, reportedly use real-time deepfake technology to mask their true identities in video interviews, and leverage AI code tools to assist in their job duties, all of which pose a substantial challenge to traditional security defenses,” the company said.
What’s more, a leak of 1,389 email addresses linked to the IT workers has uncovered that 29 of the 63 unique email service providers are online tools that allow users to create temporary or disposable email addresses, while another six are related to privacy-focused services like Skiff, Proton Mail, and SimpleLogin. Nearly 89% of the email addresses are Gmail accounts.
“All the Gmail accounts are guarded using Google Authenticator, 2FA, and Recovery BackUp Email,” security researcher Rakesh Krishnan said. “Many usernames include terms like developer, code, coder, tech, software, indicating a tech or programming focus.”
Some of these email addresses are present in a user database leak of the AI photo editing tool Cutout.Pro, suggesting potential use of the software to alter images for social media profiles or identification documents.
Share this post
News Feed
Get the Hottest Cybersecurity News Delivered to You!
Thank you!
You have successfully joined our subscriber list.
