ENKI links a GitHub-based spearphishing infrastructure cluster to the DPRK-nexus actor Kimsuky through XenoRAT C2 analysis and attacker repository evidence. The campaign targeted South Korean individuals with decoys such as law-firm debt notices, powers of attorney, traffic accident documents, and Financial Supervisory Service-themed account notices. Malware staged RTF-named compressed payloads from Dropbox and GitHub, then decompressed and executed XenoRAT-like .NET payloads in a fileless manner. Hardcoded GitHub Personal Access Tokens with repo scope let the operators access private repositories, download payloads, and upload victim telemetry including OS details, process lists, boot time, page titles, and possible keylogging data. Infrastructure and artifacts included accounts Dasi274 and luckmask, commit email [email protected], C2 servers 158.247.230.196:443, 216.244.74.115:80, and 165.154.78.9:443, plus attacker test IPs such as 158.247.253.215 and 139.99.36.158.