A state-sponsored espionage campaign is targeting foreign embassies in South Korea to deploy XenoRAT malware from malicious GitHub repositories.

According to Trellix researchers , the campaign has been running since March and is ongoing, having launched at least 19 spearphishing attacks against high-value targets.

Although infrastructure and techniques match the pllaybook of North Korean actor Kimsuky (APT43), there are signs that better match China-based operatives, the researchers say.

Multi-stage campaign

The attacks unfolded in three phases, each with distinct email lures between early March and July.

Initial probing started in March, with the earliest email discovered targeting a Central European embassy. In May, the threat actor switched to diplomatic targeting with more compl

See Full Page