The North Korean threat actor is attributed to a coordinated cyberspy campaign targeting diplomatic missions at its southern counterparts between March and July 2025.
The activity appears in the form of at least 19 spear fishing emails, with the goal of inviting invitations, official letters and events, impersonating trusted diplomatic contacts aimed at seducing embassy staff and Ministry of Foreign Affairs officials.
“Attackers used Github, which is usually known as the legitimate developer platform, as a secret command and control channel,” said Trellix researchers Pham Duy Phuc and Alex Lanstein.
It has been observed that infection chains rely on reliable cloud storage solutions such as Dropbox and Daum Cloud, online services of South Korean internet conglomerate Kakao Corporation.
The campaign is rated as the job of a North Korean hacking group called Kimsky. Kimsky was recently linked to a phishing attack employing Github as the stager of the Xeno rat known as Moon Peak. Despite the infrastructure and tactical overlap, there are indications that phishing attacks will coincide with China-based operatives.
Each Trellix email message is carefully crafted to look legitimate, often invoking real diplomats and officials, and tempting recipients to open password-protected malicious ZIP files that host on Dropbox, Google Drive, or Daum. The message is written in Korean, English, Persian, Arabic, French and Russian.
“The contents of spear phishing were carefully crafted to mimic legitimate diplomatic communications,” Trelix said. “Many emails included official signatures, diplomatic terms and references to actual events (such as summits, forums, or meetings).”
“The attackers impersonated trusted entities (embassies, ministries, international organizations), and long-term Kimsky tactics. They increased credibility by strategically timing alongside actual diplomatic events.”
Residing within the ZIP archive is a Windows Shortcut (LNK) spoofing a PDF document, launching a PowerShell code execution, running an embedded payload, reaching GitHub to fetch the next stage malware, and establishing persistence through scheduled tasks. In parallel, the victim will be shown with the document.
This script is designed to collect system information and extend the details to an attacker-controlled private GitHub repository, but at the same time, it retrieves additional payloads by parsing the contents of the repository’s text file (“onf.txt”) to extract the dropbox URL hosting the Moon Peak Trojan.
“Just updating the repository’s onf.txt (pointing to a new Dropbox file) allows the operator to rotate the payload to the infected machine,” explained Trellix.
“They also practiced ‘quickly’ infrastructure spinning. The log data suggests that the OFX.TXT payload will update multiple times in an hour to deploy the malware and remove traces after use.
Interestingly, time-based analysis of the activities of cybersecurity companies’ attackers stems primarily from time zones that match China, with fewer proportions consistent with South Korea. To add to the plot, a “perfect three-day suspension” was observed in early April 2025, coinciding with China’s national holidays, but not on North or South Korean holidays.
This increases the likelihood that a campaign that reflects China’s operational rhythm while operating with motives alongside North Korea is the result of -.
North Korean operatives working from China’s territory mimic the proper Chinese operations that mimic Kimsky’s techniques, or collaborative efforts to leverage Chinese resources for North Korea’s intelligence research
As North Korean cyber actors are frequently stationed in China and Russia, as observed in the case of Remote Information Technology (IT) workers fraud schemes, Trelix has centrally stated that the operators are either run from China or are culturally Chinese.
“It is likely that the use of South Korea’s services and infrastructure was intended to blend into the Korean network,” Trellix said. “To operate from the IP spaces in China and Russia while targeting South Korea is a Kimsky characteristic known to use Korean services to legally obscur traffic.”
N.Korean IT workers are permeated by 100 companies
The disclosure comes as CrowdStrike revealed that it has identified more than 320 incidents in the last 12 months. There, North Koreans infiltrating remote IT workers infiltrated the companies to generate illegal revenue for the administration, a 220% jump from last year.
Tracked as well as the famous Cholima and Jasper, IT Worker Schemes are thought to use Generated Artificial Intelligence (Genai) Coding Assistants such as Microsoft Copilot, VScodium and Translation Tools to help with daily tasks and respond to instant messages and emails. You could also do three or four jobs at the same time.
Key components of these businesses include recruiting people to run laptop farms, including corporate laptop racks that use tools that make it physically located in the country where the company is based, to remotely use their work.
“The well-known chollima IT workers use genai to create attractive resumes for businesses, use real-time deepfark technology to cover up their true identity in video interviews, and leverage AI code tools to help them with their job duties.
Additionally, the leak of 1,389 email addresses linked to IT workers revealed that 29 of 63 unique email service providers are online tools, allowing users to create temporary or disposable email addresses and create six other email addresses. Almost 89% of email addresses are Gmail accounts.
“All Gmail accounts are guarded using Google Authenticator, 2FA, and Recovery Backup Mail,” said security researcher Rakesh Krishnan. “Many usernames include terms like developer, code, coder, technology, software, and more, indicating the focus of technology or programming.”
Some of these email addresses exist in the AI photo editing tool cutout.pro user database leak, suggesting the potential use of using the software to modify images in software media profiles or identification documents.
Source link
