A newly uncovered cyber-espionage campaign has been targeting foreign embassies in South Korea with the XenoRAT malware, delivered through malicious GitHub repositories. Trellix researchers report the operation began in March 2025 and has since conducted at least 19 spearphishing attempts using multilingual and event-themed lures. The attacks progressed in three stages, starting with basic probes in March, then more sophisticated diplomatic lures in May, and finally U.S.–Korea alliance themes in June and July.
Victims typically received password-protected ZIP files from Dropbox or Google Drive, containing disguised .LNK files that launched PowerShell scripts to install XenoRAT. Once deployed, the trojan can capture keystrokes, screenshots, webcam and audio feeds, transfer files, and provide remote shell access, all while staying hidden through in-memory execution and obfuscation. While the techniques align with North Korea’s APT43 group, evidence such as activity patterns and holiday gaps suggests possible involvement from China-based operators. Trellix attributes the campaign to APT43 with moderate confidence, leaving open the possibility of Chinese collaboration or sponsorship.
Read more...