North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025.
The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations.
“The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel,” Trellix researchers Pham Duy Phuc and Alex Lanstein said.
The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems.
The campaign is assessed to be the work of a North Korean hacking group called Kimsuky, which was recently linked to phishing attacks that employ GitHub as a stager for an Xeno RAT known as MoonPeak. Despite the infrastructure and tactical overlaps, there are indications that the phishing attacks match China-based operatives.
The email messages, per Trellix, are carefully crafted to appear legitimate, often spoofing real diplomats or officials so as to entice recipients into opening password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum. The messages are written in Korean, English, Persian, Arabic, French, and Russian.
“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence,” Trellix said. “Many emails included official signature, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings).”
“The attackers impersonated trusted entities (embassies, ministries, international organizations), a long-running Kimsuky tactic. By strategically timing lures alongside real diplomatic happenings, they enhanced the credibility.”
Present within the ZIP archive is a Windows shortcut (LNK) masquerading as a PDF document, launching which results in the execution of PowerShell code that, in turn, runs an embedded payload, which reaches out to GitHub for fetching next-stage malware and establishes persistence through scheduled tasks. In parallel, a decoy document is displayed to the victims.
The script is also designed to harvest system information and exfiltrate the details to an attacker-controlled private GitHub repository, while simultaneously retrieving additional payloads by parsing the contents of a text file (“onf.txt”) in the repository to extract the Dropbox URL hosting the MoonPeak trojan.
“By simply updating onf.txt in the repository (pointing to a new Dropbox file), the operators could rotate payloads to infected machines,” Trellix explained.
“They also practiced ‘rapid’ infrastructure rotation: log data suggests that the ofx.txt payload was updated multiple times in an hour to deploy malware and to remove traces after use. This rapid update cycle, combined with the use of cloud infrastructure, helped the malicious activities fly under the radar.”
Interestingly, the cybersecurity company’s time-based analysis of the attackers’ activity has found it to be largely originating from a timezone that’s consistent with China, with a smaller proportion aligning with that of the Koreas. To add to the intrigue, a “perfect 3-day pause” was observed coinciding with Chinese national holidays in early April 2025, but not during North or South Korean holidays.
This has raised the possibility that the campaign, mirroring Chinese operational cadence while operating with motives that align with North Korea, is likely the result of –
- North Korean operatives working from Chinese territory
- A Chinese APT operation mimicking Kimsuky techniques, or
- A collaborative effort leveraging Chinese resources for North Korean intelligence gathering efforts
With North Korean cyber actors frequently stationed in China and Russia, as observed in the case of the remote information technology (IT) worker fraud scheme, Trellix said with medium-confidence that the operators are operating from China or are culturally Chinese.
“The use of Korean services and infrastructure was likely intentional to blend into the South Korean network,” Trellix said. “It’s a known Kimsuky trait to operate out of Chinese and Russian IP space while targeting South Korea, often using Korean services to mask their traffic as legitimate.”
N. Korea IT Worker Infiltrates 100s of Companies
The disclosure comes as CrowdStrike revealed that it has identified more than 320 incidents over the past 12 months where North Koreans posing as remote IT workers have infiltrated companies to generate illicit revenue for the regime, a 220% jump from last year.
The IT worker scheme, tracked as Famous Chollima and Jasper Sleet, is believed to use generative artificial intelligence (GenAI) coding assistants like Microsoft Copilot or VSCodium and translation tools to help assist with their daily tasks and respond to instant messages and emails. They are also likely to work three or four jobs simultaneously.
A crucial component of these operations encompasses recruiting people to run laptop farms, which include racks of corporate laptops used by the North Koreans to remotely do their work using tools like AnyDesk as if they were physically located in the country where the companies are based.
“Famous Chollima IT workers use GenAI to create attractive résumés for companies, reportedly use real-time deepfake technology to mask their true identities in video interviews, and leverage AI code tools to assist in their job duties, all of which pose a substantial challenge to traditional security defenses,” the company said.
What’s more, a leak of 1,389 email addresses linked to the IT workers has uncovered that 29 of the 63 unique email service providers are online tools that allow users to create temporary or disposable email addresses, while another six are related to privacy-focused services like Skiff, Proton Mail, and SimpleLogin. Nearly 89% of the email addresses are Gmail accounts.
“All the Gmail accounts are guarded using Google Authenticator, 2FA, and Recovery BackUp Email,” security researcher Rakesh Krishnan said. “Many usernames include terms like developer, code, coder, tech, software, indicating a tech or programming focus.”
Some of these email addresses are present in a user database leak of the AI photo editing tool Cutout.Pro, suggesting potential use of the software to alter images for social media profiles or identification documents.
