North Korean hackers target diplomats via GitHub spearphishing attack

North Korean threat actors have been linked to a coordinated cyber espionage campaign targeting diplomatic missions in South Korea between March and July 2025. This campaign involved at least 19 spear-phishing emails that impersonated trusted diplomatic contacts, aiming to lure embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations. The attackers utilised GitHub, a platform typically associated with legitimate development, as a covert command-and-control channel. Trellix researchers Pham Duy Phuc and Alex Lanstein noted that the infection chains relied on trusted cloud storage solutions like Dropbox and Daum Cloud to deliver a variant of an open-source remote access trojan known as Xeno RAT, enabling the threat actors to take control of compromised systems.

The campaign is attributed to a North Korean hacking group called Kimsuky, which has been previously linked to phishing attacks using GitHub as a staging ground for a variant of Xeno RAT known as MoonPeak. Despite similarities in infrastructure and tactics, there are indications that some phishing attacks may align with China-based operatives. The emails were meticulously crafted to appear legitimate, often spoofing real diplomats or officials to entice recipients into opening password-protected malicious ZIP files hosted on platforms like Dropbox, Google Drive, or Daum. The messages were composed in multiple languages, including Korean, English, Persian, Arabic, French, and Russian. Trellix highlighted that the spear-phishing content mimicked authentic diplomatic correspondence, incorporating official signatures, diplomatic terminology, and references to real events, thereby enhancing the credibility of the attacks.