A state-backed espionage operation has been targeting foreign embassies in South Korea, deploying XenoRAT malware through malicious GitHub repositories, according to new research from Trellix.

The campaign, active since March and still ongoing, has carried out at least 19 spear-phishing attacks on high-value diplomatic targets. While some tactics and infrastructure resemble the methods of North Korean group Kimsuky (APT43), investigators also found strong indicators pointing to China-based operators.

Figure 1. Xenorat Malware.

Multi-Stage Attacks

The operation unfolded in three phases:

• March: Early probing emails, including one aimed at a Central European embassy.
• May: Shift to sophisticated diplomatic lures, such as a fake EU advisory meeting invite sent to a Western European embassy.
• June–July: Themes focused on the U.S.–Korea military alliance, with realistic invitations and official-looking correspondence.

The phishing emails—crafted in Korean, English, Persian, Arabic, French, and Russian—were highly contextual and timed to coincide with real-world events [1]. Victims received password-protected ZIP archives hosted on Dropbox, Google Drive, or Daum. Inside, a disguised .LNK file triggered obfuscated PowerShell commands that downloaded the XenoRAT payload from GitHub or Dropbox, establishing persistence through scheduled tasks. Figure 1 shows Xenorat Malware.

Capabilities of XenoRAT

XenoRAT is a full-featured remote access trojan capable of:

• Logging keystrokes
• Capturing screenshots
• Accessing webcams and microphones
• Executing file transfers
• Opening remote shells

It runs directly in memory using reflection and is obfuscated with Confuser Core 1.6.0, making it harder to detect.

Attribution Clues

Trellix noted overlaps with Kimsuky campaigns, such as the use of Korean email services, GitHub-based command-and-control, and unique identifiers consistent with past malware. Some IP addresses and domains also matched those tied to earlier North Korean operations.

However, timezone analysis and activity patterns align more closely with China-based actors, particularly since operational pauses coincided with Chinese national holidays, not Korean ones.

Reference:

1. https://www.bleepingcomputer.com/news/security/xenorat-malware-campaign-hits-multiple-embassies-in-south-korea/

Cite this article:

Keerthana S (2025), Xenorat Malware Campaign Targets Several Embassies in South Korea, AnaTechMaz, pp.208