A state-sponsoredespionage campaign is targeting foreign embassies in South Korea to deployXenoRAT malware from malicious GitHub repositories.
According to Trellix researchers, the campaign has been running since Marchand isongoing, having launched at least 19 spearphishing attacks against high-value targets.
Although infrastructure and techniques match the pllaybook of North Korean actorKimsuky (APT43), there are signs that better match China-based operatives, the researchers say.
Multi-stage campaign
The attacks unfolded in three phases, each with distinct email lures between early March and July.
Initial probing started in March, with the earliest email discovered targeting a Central European embassy. In May, the threat actor switched to diplomatic targeting with more complex lures.
“On May 13, 2025, an email to a Western European embassy pretended to be from a high-ranking EU delegation official about a ‘Political Advisory Meeting at the EU Delegation on May 14,'” the Trellix researchers say.
Between June and July, the adversary moved to themes related to U.S.-Korea military alliance.