Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack leveraged GitHub Personal Access Tokens to access private repositories and distribute XenoRAT malware. The campaign also employed Dropbox for malware distribution. The attackers used tailored decoy documents and impersonated legitimate entities to increase the effectiveness of their phishing attempts. Analysis of the infrastructure and malware samples revealed connections to previous Kimsuky operations, including shared test IP addresses and similar malware build environments.
OPENCTI LABELS :
dropbox,north korea,kimsuky,spearphishing,xenorat,south korea
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure