Foreign embassies in South Korea XenoRAT spearphishing campaign
Campaign
Summary
Hide ▲
Show ▼
An ongoing state-sponsored espionage campaign has launched at least 19 spearphishing attacks against foreign embassies in South Korea, raising the risk of credential theft and malware deployment. The operation uses multilingual diplomatic lures and password-protected archives to evade detection. Its delivery chain pushes XenoRAT and establishes persistence with scheduled tasks. Attribution remains mixed, with tradecraft resembling APT43/Kimsuky but also showing signs of a China-based actor.
Related Happenings
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
Campaign
First: 11.11.2025 13:40
Last: 11.11.2025 13:40
Sources 1
About this happening:
A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
CampaignAbout this happening: A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
Noisy Bear Kazakhstan oil and gas phishing campaign
Campaign
First: 11.09.2025 15:00
Last: 11.09.2025 15:00
Sources 1
About this happening:
The **Noisy Bear** operation is conducting **phishing-based intrusion activity** against **Kazakhstan's oil and gas sector**, creating espionage risk for **KazMunayGas** and relat...
Noisy Bear Kazakhstan oil and gas phishing campaign
CampaignAbout this happening: The **Noisy Bear** operation is conducting **phishing-based intrusion activity** against **Kazakhstan's oil and gas sector**, creating espionage risk for **KazMunayGas** and relat...
TAOTH Eastern Asia espionage campaign using hijacked Sogou Zhuyin updates
Campaign
First: 29.08.2025 16:12
Last: 29.08.2025 16:12
Sources 1
About this happening:
A **TAOTH** espionage campaign abused a hijacked **Sogou Zhuyin** update path and phishing pages to deliver malware and steal sensitive information from **Eastern Asia** targets....
TAOTH Eastern Asia espionage campaign using hijacked Sogou Zhuyin updates
CampaignAbout this happening: A **TAOTH** espionage campaign abused a hijacked **Sogou Zhuyin** update path and phishing pages to deliver malware and steal sensitive information from **Eastern Asia** targets....
Famous Chollima North Korean overseas IT-worker fraud campaign
Campaign
First: 28.08.2025 11:53
Last: 28.08.2025 11:53
Sources 1
About this happening:
The **North Korean overseas IT-worker fraud campaign** remains active, creating ongoing **data-theft** and **extortion risk** for **U.S. and international employers**. Operators u...
Famous Chollima North Korean overseas IT-worker fraud campaign
CampaignAbout this happening: The **North Korean overseas IT-worker fraud campaign** remains active, creating ongoing **data-theft** and **extortion risk** for **U.S. and international employers**. Operators u...
Latest development: 02.12.2025 17:02
Mauro Eldritch, BCA LTD, NorthScan, and ANY.RUN captured Famous Chollima operators from Lazarus Group live inside controlled sandbox environments that mimicked developer laptops. The operators used AI-driven job tools such as Simplify Copilot, AiApply, and Final Round AI, browser-based OTP.ee and Authenticator.cc for 2FA handling, Google Remote Desktop with a fixed PIN for persistent host control, and Astrill VPN routing while asking for ID, SSN, Gmail, LinkedIn, and banking details to support identity theft and workstation takeover.
Timeline
-
18.08.2025 22:38 1 articles · 9mo ago
Foreign embassies in South Korea XenoRAT spearphishing campaign
Initial DisclosureThe earliest phase began in **March 2025** with probing against a **Central European embassy**. The initial emails were simpler, then later lures became more tailored and diplomatic.
Show sources
- XenoRAT malware campaign hits multiple embassies in South Korea — www.bleepingcomputer.com — 18.08.2025 22:38