The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

2025-08-18 • Trellix •

https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/

#Kimsuky #Phishing #LNK #XenoRAT #T1102.002 #T1082 #T1567.002 #T1071.001 #T1112 #T1083 #T1027 #T1204.002 #T1566.002 #T1059.005 #T1566.001 #T1053.005 #T1059.001 #T1036.005 #T1105 #T1087.001 #T1106 #T1134 #T1071.004 #T1568 #T1102.003 #T1569 #T1033 #T1569.002

Trellix attributes an active early-2025 espionage campaign against embassies and foreign ministries in Seoul to DPRK-linked actors, with infrastructure overlaps to known Kimsuky operations. The attackers sent at least 19 spear-phishing emails impersonating diplomats and officials, using password-protected ZIP files that contained disguised PDF/LNK shortcuts. Execution launched obfuscated PowerShell, performed host reconnaissance, abused GitHub APIs for exfiltration and C2 coordination, and retrieved payloads from cloud storage such as Dropbox and Daum. The final payload was a Confuser-obfuscated XenoRAT variant associated with MoonPeak patterns, giving operators remote access, keylogging, screenshots, file transfer, and shell capability. The campaign matters because it shows diplomatic espionage blending trusted cloud and developer platforms with rapidly rotated payload infrastructure to evade network defenses.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	158.247.230.196	2025-06-19	2026-04-17
HASH	9f5460850a3b5b53568cd450e834069…	2025-08-18	2025-08-29
HASH	488570af25f908e907c9732aae632b0f	2025-08-18	2025-08-29
HASH	bca4cac80c436e813d93eba1b25257d0	2025-08-18	2025-08-29
HASH	9c5964753f8092a98f414a97cfb02cb…	2025-08-18	2025-08-29
EMAIL	[email protected]	2025-08-18	2025-08-29
HASH	dfacbcf7ef2a3080f9cd785329e7896b	2025-08-18	2025-08-18
HASH	6dea2bf9512f618e3316f58d4f830e2…	2025-08-18	2025-08-18
HASH	c72f52813110685fe16af777f4ea5da…	2025-08-18	2025-08-18
HASH	48fe8b7c8ceb1575dcdb6cf9f717d32…	2025-08-18	2025-08-18
HASH	1e10203174fb1fcfb47bb00cac2fe6f…	2025-08-18	2025-08-18
HASH	7ac1cb59cf1d5167b4f545c5a49f1c3…	2025-08-18	2025-08-18
HASH	cf2cba1859b2df4e927b8d52c630ce7…	2025-08-18	2025-08-18
HASH	25595588106848b2054497ceba1a2d66	2025-08-18	2025-08-18
HASH	5b5d21904d4874da9a31d456c5bcef8f	2025-08-18	2025-08-18
HASH	60895bbfd40b902513afda50b28e80da	2025-08-18	2025-08-18
HASH	45bd30d3a52904a7fe64fd97c31e3a1c	2025-08-18	2025-08-18
HASH	0e0f720193204cbd1a2c847d76f9e82f	2025-08-18	2025-08-18
HASH	8b605de9d28c8c6477a996d4e5873e4e	2025-08-18	2025-08-18
HASH	8a94fe218e7970839b83b53a824ebc47	2025-08-18	2025-08-18
HASH	5f704db7552a0b6b535b9c7c5f240664	2025-08-18	2025-08-18
HASH	4bfd068156adbcaa9c9701abbd72d21…	2025-08-18	2025-08-18
HASH	90f53ae46c789884cfddc0d1d8f1ee7…	2025-08-18	2025-08-18
HASH	f372b16ec015767320a8334b7340594…	2025-08-18	2025-08-18
HASH	892734d408626a9bb557346c5f80343…	2025-08-18	2025-08-18
HASH	da19f3c42361ac84642e936e61c149a1	2025-08-18	2025-08-18
HASH	18ab9a5bd68314b8a91070f18ca9c2c…	2025-08-18	2025-08-18
HASH	ff37eb655a96b71e7dc08b4d91e1daea	2025-08-18	2025-08-18
HASH	752b8fc6f69c8153d6945ff608ae6b4e	2025-08-18	2025-08-18
HASH	4a3e9f6b214effe5028a0bf36776190…	2025-08-18	2025-08-18
HASH	02430604d146e8e33554061344ca806e	2025-08-18	2025-08-18
HASH	f462439a4590e9ee053573639a82e36…	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
EMAIL	[email protected]	2025-08-18	2025-08-18
URL	https://dl.dropbox.com/scl/fi/4…	2025-08-18	2025-08-18
URL	https://dl.dropbox.com/scl/fi/k…	2025-08-18	2025-08-18
URL	https://dl.dropbox.com/scl/fi/s…	2025-08-18	2025-08-18
URL	https://bp.nidnaver.cloud/forbh…	2025-08-18	2025-08-18
URL	https://dl.dropboxusercontent.c…	2025-08-18	2025-08-18
URL	https://bp.nidnaver.cloud/info.…	2025-08-18	2025-08-18
DOMAIN	bp.nidnaver.cloud	2025-08-18	2025-08-18
DOMAIN	isc-parliment.org	2025-08-18	2025-08-18
IPv4	165.154.52.140	2025-08-18	2025-08-18
IPv4	165.154.52.210	2025-08-18	2025-08-18
IPv4	141.164.40.239	2025-08-18	2025-08-18
IPv4	141.164.49.250	2025-08-18	2025-08-18
IPv4	158.247.249.243	2025-08-18	2025-08-18
IPv4	141.164.41.17	2025-06-19	2025-08-18

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2025-08-29 • 47% Match

국내 IP에서 유포된 PureCrypter 적용 Formbook 페이로드 분석

ENKI

#Kimsuky #T1082 #T1059.003 #T1140 #T1005 #T1041 #T1115 #T1204.002 #T1071 #T1057 #T1566.001 #T1547.001 #T1059.001 #T1132.001 #T1497.001 #T1622 #T1027.002 #T1573.001 #T1055.012 #T1095 #T1047 #T1134.001 #T1665 #T1055.002 #T1070.010 #T1055.003 #T1027.014

Shares tags: Kimsuky, T1082, T1204.002 • Published within a month

2026-01-13 • 45% Match

APT PROFILE – KIMSUKI

Cyfirma

#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596

Shares tags: Kimsuky, T1102.002, T1567.002

2025-08-29 • 45% Match