Kimsuky-like embassy spear-phishing campaign in Seoul
Campaign
Summary
Hide ▲
Show ▼
A since-March espionage campaign is targeting European embassies in Seoul, using highly personalized spear-phishing to raise the odds of compromise and follow-on malware delivery. The operation relies on password-protected ZIP lures, impersonated officials, and event-based pretexts to entice recipients. Successful clicks would expose systems to PowerShell staging, GitHub-based C2, and an obfuscated XenoRAT payload.
Related Happenings
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
Kimsuky HttpTroy spear-phishing campaign targeting South Korea
Campaign
First: 03.11.2025 12:42
Last: 03.11.2025 12:42
Sources 1
About this happening:
A **Kimsuky** spear-phishing operation delivered **HttpTroy** to **a single victim in South Korea**, giving the attackers a multi-stage path to remote control and persistence. The...
Kimsuky HttpTroy spear-phishing campaign targeting South Korea
CampaignAbout this happening: A **Kimsuky** spear-phishing operation delivered **HttpTroy** to **a single victim in South Korea**, giving the attackers a multi-stage path to remote control and persistence. The...
GitHub notification phishing campaign impersonating Y Combinator W2026
Campaign
First: 24.09.2025 15:37
Last: 24.09.2025 15:37
Sources 1
About this happening:
The **GitHub notification** abuse became a **phishing campaign** that pushed fake **Y Combinator W2026** invitations to developers, creating a live risk of **wallet theft** across...
GitHub notification phishing campaign impersonating Y Combinator W2026
CampaignAbout this happening: The **GitHub notification** abuse became a **phishing campaign** that pushed fake **Y Combinator W2026** invitations to developers, creating a live risk of **wallet theft** across...
ComicForm phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia
Campaign
First: 22.09.2025 18:40
Last: 22.09.2025 18:40
Sources 1
About this happening:
**ComicForm** is running an active phishing campaign against organizations in **Belarus, Kazakhstan, and Russia**, creating ongoing risk of **credential theft** and **Formbook** d...
ComicForm phishing campaign targeting organizations in Belarus, Kazakhstan, and Russia
CampaignAbout this happening: **ComicForm** is running an active phishing campaign against organizations in **Belarus, Kazakhstan, and Russia**, creating ongoing risk of **credential theft** and **Formbook** d...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
Campaign
First: 21.09.2025 13:56
Last: 21.09.2025 13:56
Sources 1
About this happening:
**North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
CampaignAbout this happening: **North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Timeline
-
21.08.2025 04:00 1 articles · 9mo ago
First observed phishing email to a Central European embassy in Seoul
Initial DisclosureA nondescript email from "Kim Taesung" titled "Gas Facility Safety Inspection Service" reached a Central European embassy in Seoul with a password-protected zip attachment, marking an early observed attempt against a diplomatic target in South Korea's capital city.
Show sources
- DPRK, China Suspected in South Korean Embassy Attacks — www.darkreading.com — 21.08.2025 04:00
-
21.08.2025 04:00 1 articles · 9mo ago
Tailored May 13 spear-phishing lure to a Western European embassy
Campaign Scope UpdateOn May 13, attackers impersonated a high-ranking European delegation in communications with a Western European embassy, referenced an "advisory meeting" the next day, and used a password aligned with that date, showing a more personalized spear-phishing pattern against diplomatic targets in Seoul.
Show sources
- DPRK, China Suspected in South Korean Embassy Attacks — www.darkreading.com — 21.08.2025 04:00
-
21.08.2025 04:00 1 articles · 9mo ago
Trellix assesses Kimsuky-like and China-linked operations
Attribution UpdateTrellix assessed that the campaign against European embassies in Seoul resembled Kimsuky tradecraft, used attacker-controlled GitHub repositories for C2, and delivered an obfuscated XenoRAT payload; the researchers also found that nearly two-thirds of operator activity matched a Chinese work schedule, leaving open China-based, China-masked, or China-assisted handling.
Show sources
- DPRK, China Suspected in South Korean Embassy Attacks — www.darkreading.com — 21.08.2025 04:00