CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

XenoRAT malware campaign targets embassies in South Korea

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A state-sponsored espionage campaign, attributed to North Korean threat actors, has been targeting foreign embassies and defense-related institutions in South Korea since March 2025 to deploy XenoRAT malware. The campaign, which has launched at least 19 spearphishing attacks, uses highly contextual and multilingual lures to deliver malicious payloads via GitHub and cloud storage services. The latest attack involved deepfakes of South Korean military identification documents, targeting journalists, researchers, and human-rights activists with themes related to sensitive topics. The campaign's infrastructure and techniques match those of North Korean actor Kimsuky (APT43), but some indicators suggest possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. It is loaded directly into memory and obfuscated to maintain a stealthy presence on infected systems.

Timeline

  1. 17.09.2025 03:00 1 articles · 12d ago

    Kimsuky uses AI-generated deepfakes to target defense-related institution

    The North Korea-linked Kimsuky cyberthreat group used ChatGPT and other AI services to create deepfakes of South Korean military identification documents. These deepfakes were used to target a defense-related institution, focusing on sensitive topics related to North Korea research, national defense, and political or social issues. The attack relied heavily on social engineering, requiring the victim to click on a link, download a zip file, and open an LNK file to compromise their system.

    Show sources
    Open in new tab
  2. 18.08.2025 22:38 4 articles · 1mo ago

    XenoRAT malware campaign targets embassies in South Korea

    The latest attack involved deepfakes of South Korean military identification documents, targeting journalists, researchers, and human-rights activists with themes related to sensitive topics. The attackers used AI-generated images to enhance the deception, making the recipients more likely to engage with the malicious content.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 targets U.S. trade officials with phishing campaigns amid negotiations

APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.

Open in new tab

Kazakhstan Energy Sector Phishing Test Mistaken for Noisy Bear Campaign

A phishing campaign targeting KazMunayGas employees was initially attributed to the Noisy Bear threat actor. The activity, codenamed Operation BarrelFire, involved phishing emails with malicious attachments designed to deliver a reverse shell. However, KazMunayGas clarified that the campaign was a planned phishing test conducted in May 2025. The campaign utilized a compromised email address from KazMunayGas's finance department to send phishing emails containing a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file. The payloads included a batch script and a PowerShell loader named DOWNSHELL, culminating in the deployment of a DLL-based implant. The infrastructure was hosted on the Russia-based bulletproof hosting service Aeza Group, which was sanctioned by the U.S. in July 2025. The campaign was initially linked to a new threat group tracked by Seqrite Labs as Noisy Bear, active since at least April 2025. Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks. The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.

Open in new tab

SVG Files Used in Phishing Attacks Impersonating Colombian Judicial System

A malware campaign uses SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system. The SVG files are distributed via email and execute a JavaScript payload to inject a phishing page. The campaign has been active since mid-August 2025, with 523 undetected SVG files identified by VirusTotal. The phishing pages simulate a document download process while downloading a ZIP archive in the background. The ZIP file contains a legitimate executable, a malicious DLL, and two encrypted files. The malicious DLL is sideloaded to install further malware on the system. The campaign highlights the evolving tactics of attackers, who use obfuscation and polymorphism to evade detection. The phishing pages target users by impersonating official government portals, increasing the likelihood of successful attacks. The disclosure coincides with reports of macOS systems being targeted by the Atomic macOS Stealer (AMOS), which steals a wide range of sensitive data. Attackers use cracked software and ClickFix-style tactics to infect macOS devices, exposing businesses to credential stuffing and financial theft.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Open in new tab

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

The Lazarus Group, a North Korea-linked threat actor, executed a social engineering campaign targeting a decentralized finance (DeFi) organization. The attack, observed in 2024, involved deploying three different cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. The campaign began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The attack chain started with the deployment of a loader called PerfhLoader, which dropped PondRAT. This malware, a stripped-down variant of POOLRAT, was used in combination with ThemeForestRAT for approximately three months before switching to the more sophisticated RemotePE. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets.

Open in new tab