A coordinated cyber espionage campaign targeted South Korean diplomatic missions between March and July 2025 using at least 19 spear-phishing emails. Emails impersonated trusted diplomatic contacts and used meeting invites, official letters, and event invitations to lure embassy and foreign ministry staff. Attackers delivered password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum and relied on cloud storage and GitHub as covert command-and-control channels. The payload was a variant of the open-source Xeno RAT (MoonPeak), enabling remote control of compromised systems. Messages were written in multiple languages and closely mimicked legitimate diplomatic correspondence.
"The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel," Trellix researchers Pham Duy Phuc and Alex Lanstein said.
"The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence," Trellix said. "Many emails included official signature, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings)."
Collection
[
|
...
]