Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure
June 27, 2025, 8:14 a.m.
Description
A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack leveraged GitHub Personal Access Tokens to access private repositories and distribute XenoRAT malware. The campaign also employed Dropbox for malware distribution. The attackers used tailored decoy documents and impersonated legitimate entities to increase the effectiveness of their phishing attempts. Analysis of the infrastructure and malware samples revealed connections to previous Kimsuky operations, including shared test IP addresses and similar malware build environments.
Tags
Date
- Created: June 26, 2025, 9:22 p.m.
- Published: June 26, 2025, 9:22 p.m.
- Modified: June 27, 2025, 8:14 a.m.
Indicators
- d35b01fed4a359f81bd4e866d080e9b9a2462fb2997a24d088cbce7d9bb28efe
- af182a9a50d79ec77d78a5896b7aa51d6ff8ac81d2401b67eca5362d0b6c42b7
- a987762487db0d1535973e66f399f9b326effa2813178b9353188113caa416a6
- 457fc3e0f47fa85e6df3fd4a94e988cf9e18e23cc7e3733c7d2723331a076354
- 3f816153a7a468406ebcd3b8e0686633047c4682f6d9266598eba4092e127f36
- 45.61.161.103
- 216.244.74.115
- 158.247.253.215
- 165.154.78.9
- 158.247.230.196
- 158.247.202.109
- 141.164.41.17
- 139.99.36.158
- 101.36.114.190
- 118.194.249.201
- 80.71.157.55
Additional Informations
- Legal
- Government