Spies in Plain Sight: How North Korean Hackers Used GitHub to Attack Embassies

The Trellix Advanced Research Center has uncovered a wide-reaching espionage operation targeting diplomatic missions in South Korea, shedding light on how state-linked actors continue to exploit trusted platforms and social engineering to infiltrate sensitive networks.

Between March and July 2025, DPRK-linked threat actors carried out at least 19 spear-phishing attacks against embassies worldwide, using carefully crafted lures that impersonated trusted diplomatic contacts. According to Trellix, “the attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel” while deploying malware through common cloud storage providers like Dropbox and Daum.

The operation relied on multi-stage attacks, starting with spear-phishing emails disguised as meeting invitations, official letters, and event announcements. Trellix researchers noted one lure impersonated a First Secretary of an EU delegation, while another invited recipients to a U.S. Independence Day event. Inside the attachments, victims found ZIP archives containing shortcut files disguised as PDFs.

Once opened, the malicious .LNK files executed PowerShell scripts, which retrieved payloads from attacker-controlled GitHub repositories and Dropbox. Trellix highlighted that “the final payload was a variant of XenoRAT obfuscated using Confuser Core 1.6.0, consistent with the ‘MoonPeak’ malware family attributed to North Korean actors.” This RAT enabled attackers to log keystrokes, capture screenshots, access webcams and microphones, and exfiltrate sensitive diplomatic communications.

One of the campaign’s strengths was its timely and contextually relevant lures. The phishing content often coincided with real-world events such as summits and diplomatic forums, increasing credibility. Trellix observed that “attackers crafted and deployed at least 54 unique PDF lure documents spanning more than a dozen different themes and languages, including Korean, English, Persian, Arabic, French, and Russian.”

Examples included fabricated invitations to the “Inter-Parliamentary Speakers’ Conference” in Seoul, official embassy correspondence formatted as note verbale, and even a hospital health check-up form impersonating a Seoul university hospital.

A hallmark of this campaign was its abuse of legitimate platforms for C2 and data theft. Stolen files were exfiltrated using the GitHub API, disguised as normal HTTPS traffic. Trellix explained: “The stolen data is formatted with timestamps and IP addresses in filenames… then base64-encoded and uploaded via PUT requests to the GitHub Contents API.”

This method, combined with rapid infrastructure rotation, allowed the espionage campaign to remain stealthy and resilient against takedowns.

Attribution remains a nuanced puzzle. Technical evidence strongly links the activity to Kimsuky (APT43), a well-documented North Korean espionage group. However, Trellix’s time-based analysis revealed operational rhythms aligning with Chinese work schedules and national holidays.

The researchers noted, “during the Qingming Festival (April 4–6, 2025)… there was a perfect 3-day pause in commits and phishing activity,” while Korean holidays showed no consistent correlation. This has led to theories ranging from North Korean operatives working out of China, to possible collaborative operations.

Trellix concludes that this is “a North Korean espionage campaign in motive, targeting, and toolkit, but one that interestingly mirrors Chinese operational cadence.”

Related Posts:

• APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
• Turla use backdoored Flash installer attacks against embassies in Eastern European countries
• Operation Diplomatic Specter: Chinese State-Sponsored Cyber Espionage Campaign Targeting Governments Across Three Continents
• Ecuador may hand over the WikiLeaks founder Assange to the UK
• NATO member diplomatic office in Kiev has been attacked by hackers