North Korean Hackers Exploit GitHub and Dropbox in Targeted Spearphishing Attacks

A new report from EnkiWhiteHat has unveiled a sophisticated cyber espionage operation that leverages GitHub private repositories, Dropbox links, and the open-source XenoRAT malware in a campaign targeting individuals with spearphishing lures designed to appear as legitimate legal and financial correspondence. The operation shows strong ties to Kimsuky, a DPRK-linked threat actor known for its cyber-espionage activities.

Attackers used PowerShell scripts embedded in email attachments to download decoy .rtf files from Dropbox. These files, disguised as legal notices or official documents, were obfuscated payloads. Simultaneously, GitHub was misused in an unusual way: the malware contained a hardcoded Personal Access Token (PAT) granting full access to private repositories where malware, logs, and stolen data were stored.

Two GitHub accounts—Dasi274 and luckmask—were used as command-and-control (C2) channels. These accounts hosted multiple private repositories with names like hole_311, hole_408, and star. These were no ordinary repositories: each contained malicious scripts, victim system logs, decoy PDFs, and most importantly, XenoRAT payloads.

“Each repository was linked to a spearphishing attack targeting specific individuals,” the report explains.

Decoy files mimicked law firms and regulatory agencies to appear authentic, such as:

• Debt repayment notices
• Financial Supervisory Service letters
• Traffic accident confirmations
• Cryptocurrency wallet documents

The operation unfolded in stages:

1. Initial Infection: PowerShell malware downloaded from Dropbox pretended to be documents. Upon execution, it established persistence through Windows Task Scheduler and uploaded victim logs to GitHub.
2. Reconnaissance and Logging: The malware harvested system data—running processes, OS details, clipboard history, and keystrokes—and pushed them into GitHub repos under the /log and /boot folders.
3. Remote Control: After verifying infection, the attacker replaced benign scripts with RAT loaders, pulling in a compressed version of XenoRAT hidden in .rtf files.

The payloads showed significant obfuscation. Dynamic string decryption methods and embedded configuration values indicated a customized build. The mutex name and C&C details were consistent across variants:

• Mutex: Dansweit_Hk65
• C2 Addresses:
  • 165.154.78[.]9
  • 216.244.74[.]115
• Others linked to phishing infrastructure

Using a shared GUID, researchers identified additional variants on VirusTotal, all using the same C2 server and encryption logic.

“The IP address 80.71.157[.]55 appears in nearly all repository log files… also used in the 2024 MoonPeak case.”

This IP, used in test uploads by the attacker, connects the operation to the MoonPeak campaign, previously attributed to UAT-5394, a subgroup of Kimsuky.

Moreover, one XenoRAT C&C address led to a Naver phishing site with suspicious Korean-language lures, further cementing the link.

“These correlations collectively indicate a strong connection between the attacker and the DPRK-nexus threat actor Kimsuky.”

Related Posts:

• Researchers Uncover XenoRAT’s New Tactics Leveraging Excel XLL Files and Advanced Obfuscation
• North Korean Hacking Organization Kimsuky’s Global Spearphishing Campaign Unraveled
• Dropbox security incident: hackers accessed to 130 GitHub source code repositories
• TA397 Leverages Sophisticated Spearphishing Techniques to Deploy Malware in Defense Sector
• ChatGPT Deep Research: Now Integrates with Box & Dropbox for Enhanced Insights

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy