Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure
Essential information
- Published
- 26/06/2025 21:22
- Modified
- 27/06/2025 08:14
- Tags
- 2025-06-26 dropbox kimsuky north korea south korea spearphishing xenorat
- Related entities
- 16 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 malware, 2 others
Description
A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack leveraged GitHub Personal Access Tokens to access private repositories and distribute XenoRAT malware. The campaign also employed Dropbox for malware distribution. The attackers used tailored decoy documents and impersonated legitimate entities to increase the effectiveness of their phishing attempts. Analysis of the infrastructure and malware samples revealed connections to previous Kimsuky operations, including shared test IP addresses and similar malware build environments.