CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

XenoRAT malware campaign targets South Korean embassies

First reported
Last updated
πŸ“° 3 unique sources, 4 articles

Summary

Hide β–²

A state-sponsored espionage campaign has targeted foreign embassies in South Korea with XenoRAT malware since March 2025. The attacks, involving at least 19 spearphishing attempts, use sophisticated techniques and contextual lures to deploy malware from GitHub and cloud storage services. The campaign's attribution remains uncertain, with indicators pointing to both North Korean and Chinese actors. The attackers leveraged GitHub as a covert command-and-control channel, and the campaign is assessed to be the work of a North Korean hacking group called Kimsuky, which was recently linked to phishing attacks that employ GitHub as a stager for an Xeno RAT known as MoonPeak. Despite the infrastructure and tactical overlaps, there are indications that the phishing attacks match China-based operatives. The malware, XenoRAT, is a powerful trojan capable of extensive surveillance and remote control. It is delivered through password-protected archives containing .LNK files, which execute obfuscated PowerShell scripts to download and execute the payload. The campaign's lures are highly contextual, multilingual, and timed to match real events, targeting European embassies with fake meeting invites and official letters. The attackers used GitHub repositories for command-and-control (C2) purposes, blending their espionage with normal network traffic. The attackers modified the text file containing the payload download instructions multiple times per hour, making the malware lifecycle harder to detect. The campaign's activity aligned with a Chinese work schedule, suggesting possible collaboration or masking as a Chinese operation. The attackers likely operated from or through China, benefiting from reliable hosting and weak enforcement. The North Korea-linked Kimsuky cyberthreat group has started using ChatGPT and other AI services to create images for fake identities to enhance social engineering attacks. The latest attack used deepfakes of South Korean military identification documents to target journalists, researchers, and human-rights activists. The attack targeted a defense-related institution and requested the targeted individuals review a draft of the identity documents. The social engineering attack is designed to make the recipient perceive the email content as personally or professionally relevant. The military IDs lend credibility to the phishing lure and are tailored to the target. The scheme relies heavily on social engineering, requiring the victim to click on a link, download a zip file, and open an LNK file to compromise their system. The attack included documents on economic issues in North Korea and a government investigations report on last year's crisis in South Korea. The threat researchers connected Kimsuky to the attacks through correlating specific threat indicators, including IP addresses and specific malware.

Timeline

  1. 17.09.2025 03:00 πŸ“° 1 articles Β· ⏱ 18h ago

    Kimsuky uses AI-generated deepfakes of South Korean military IDs

    The North Korea-linked Kimsuky cyberthreat group has started using ChatGPT and other AI services to create images for fake identities to enhance social engineering attacks. The latest attack used deepfakes of South Korean military identification documents to target journalists, researchers, and human-rights activists. The attack targeted a defense-related institution and requested the targeted individuals review a draft of the identity documents. The social engineering attack is designed to make the recipient perceive the email content as personally or professionally relevant. The military IDs lend credibility to the phishing lure and are tailored to the target. The scheme relies heavily on social engineering, requiring the victim to click on a link, download a zip file, and open an LNK file to compromise their system. The attack included documents on economic issues in North Korea and a government investigations report on last year's crisis in South Korea. The threat researchers connected Kimsuky to the attacks through correlating specific threat indicators, including IP addresses and specific malware.

    Show sources
    Open in new tab
  2. 18.08.2025 22:38 πŸ“° 4 articles Β· ⏱ 29d ago

    XenoRAT malware campaign targets South Korean embassies since March 2025

    The attackers used GitHub repositories for command-and-control (C2) purposes, blending their espionage with normal network traffic. The attackers modified the text file containing the payload download instructions multiple times per hour, making the malware lifecycle harder to detect. The campaign's activity aligned with a Chinese work schedule, suggesting possible collaboration or masking as a Chinese operation. The attackers likely operated from or through China, benefiting from reliable hosting and weak enforcement. The North Korea-linked Kimsuky cyberthreat group has started using ChatGPT and other AI services to create images for fake identities to enhance social engineering attacks. The latest attack used deepfakes of South Korean military identification documents to target journalists, researchers, and human-rights activists. The attack targeted a defense-related institution and requested the targeted individuals review a draft of the identity documents. The social engineering attack is designed to make the recipient perceive the email content as personally or professionally relevant. The military IDs lend credibility to the phishing lure and are tailored to the target. The scheme relies heavily on social engineering, requiring the victim to click on a link, download a zip file, and open an LNK file to compromise their system. The attack included documents on economic issues in North Korea and a government investigations report on last year's crisis in South Korea. The threat researchers connected Kimsuky to the attacks through correlating specific threat indicators, including IP addresses and specific malware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

Lies-in-the-Loop Attack Exploits AI Coding Agents

A new attack vector, dubbed 'lies-in-the-loop' (LITL), targets AI coding agents by manipulating them to execute dangerous commands. The attack exploits the trust between human users and AI agents, convincing users to approve harmful actions. Researchers from Checkmarx Zero demonstrated the attack on Anthropic's Claude Code, showing how it can be used to execute arbitrary commands and potentially compromise the software supply chain. The LITL attack leverages prompt injection to trick AI agents into providing fake, seemingly safe contexts. This manipulation can lead users to unknowingly approve harmful actions, highlighting the risks associated with AI-assisted coding tools. The attack was successfully tested on developers, demonstrating its effectiveness in real-world scenarios.

Open in new tab