The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign
Contents
The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign
By Pham Duy Phuc and Alex Lanstein · August 18, 2025
The Trellix Advanced Research Center uncovered a sophisticated espionage operation targeting diplomatic missions across several regions in South Korea during early 2025. Between March and July 2025, DPRK-linked actors are believed to have carried out at least 19 spear-phishing email attacks against embassies worldwide, impersonating trusted diplomatic contacts and luring embassy staff with credible meeting invites, official letters, and event invitations.
The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel. To distribute their malware, they relied on common cloud storage solutions like Dropbox and Daum, deploying a variant of XenoRAT remote access trojan that provided complete system control for intelligence gathering. Key infrastructure analysis linked this campaign to known Kimsuky operations [1], with C2 servers matching previously identified DPRK espionage infrastructure.
This campaign remains active …
By Pham Duy Phuc and Alex Lanstein · August 18, 2025
The Trellix Advanced Research Center uncovered a sophisticated espionage operation targeting diplomatic missions across several regions in South Korea during early 2025. Between March and July 2025, DPRK-linked actors are believed to have carried out at least 19 spear-phishing email attacks against embassies worldwide, impersonating trusted diplomatic contacts and luring embassy staff with credible meeting invites, official letters, and event invitations.
The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel. To distribute their malware, they relied on common cloud storage solutions like Dropbox and Daum, deploying a variant of XenoRAT remote access trojan that provided complete system control for intelligence gathering. Key infrastructure analysis linked this campaign to known Kimsuky operations [1], with C2 servers matching previously identified DPRK espionage infrastructure.
This campaign remains active …
IoC
https://bp.nidnaver.cloud/forbhmypresent.66ghz.com/dn.php
https://bp.nidnaver.cloud/info.php
http://165.154.52.140
http://141.164.40.239:443
http://raw.githubusercontent.com
http://165.154.52.210
https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0
https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0
http://158.247.230.196
http://bp.nidnaver.cloud
http://141.164.41.17
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0
http://141.164.49.250
http://141.164.49.250:443
https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0
http://158.247.249.243
158.247.230.196
141.164.49.250
165.154.52.140
158.247.249.243
141.164.40.239
165.154.52.210
141.164.41.17
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
cf2cba1859b2df4e927b8d52c630ce7ab6700babf9c7b4030f8243981b1a04fa
25595588106848b2054497ceba1a2d66
8b605de9d28c8c6477a996d4e5873e4e
4bfd068156adbcaa9c9701abbd72d21c0174f7ce6d3563962891e0538f6a36a7
90f53ae46c789884cfddc0d1d8f1ee7f8c4662b899fce51d5b01e94848554072
488570af25f908e907c9732aae632b0f
752b8fc6f69c8153d6945ff608ae6b4e
8a94fe218e7970839b83b53a824ebc47
48fe8b7c8ceb1575dcdb6cf9f717d322e3450b2a06d6fab3d05ca907048aa1cd
02430604d146e8e33554061344ca806e
f462439a4590e9ee053573639a82e36304897f0a695729990c108bce6518f556
18ab9a5bd68314b8a91070f18ca9c2c9097a3441b058edccd304b0e33d6c1422
f372b16ec015767320a8334b73405943b0222ea125241907235fd4f347832d0e
1e10203174fb1fcfb47bb00cac2fe6ffe660660839b7a2f53d8c0892845b0029
9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
60895bbfd40b902513afda50b28e80da
9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
0e0f720193204cbd1a2c847d76f9e82f
45bd30d3a52904a7fe64fd97c31e3a1c
892734d408626a9bb557346c5f80343d5f415e8e536f2aad30df74086865fe50
bca4cac80c436e813d93eba1b25257d0
c72f52813110685fe16af777f4ea5da2521270b4a906aae2fac98b746e3021ca
7ac1cb59cf1d5167b4f545c5a49f1c3db71493b448bd81a9a7ad7e25dcd7b943
da19f3c42361ac84642e936e61c149a1
6dea2bf9512f618e3316f58d4f830e2a5cd746b778b125a91403da02de691d89
ff37eb655a96b71e7dc08b4d91e1daea
5b5d21904d4874da9a31d456c5bcef8f
4a3e9f6b214effe5028a0bf36776190916621fd7977bf3720cb6ead34d9ee20d
dfacbcf7ef2a3080f9cd785329e7896b
5f704db7552a0b6b535b9c7c5f240664
https://bp.nidnaver.cloud/info.php
http://165.154.52.140
http://141.164.40.239:443
http://raw.githubusercontent.com
http://165.154.52.210
https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0
https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0
http://158.247.230.196
http://bp.nidnaver.cloud
http://141.164.41.17
https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0
http://141.164.49.250
http://141.164.49.250:443
https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0
http://158.247.249.243
158.247.230.196
141.164.49.250
165.154.52.140
158.247.249.243
141.164.40.239
165.154.52.210
141.164.41.17
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
cf2cba1859b2df4e927b8d52c630ce7ab6700babf9c7b4030f8243981b1a04fa
25595588106848b2054497ceba1a2d66
8b605de9d28c8c6477a996d4e5873e4e
4bfd068156adbcaa9c9701abbd72d21c0174f7ce6d3563962891e0538f6a36a7
90f53ae46c789884cfddc0d1d8f1ee7f8c4662b899fce51d5b01e94848554072
488570af25f908e907c9732aae632b0f
752b8fc6f69c8153d6945ff608ae6b4e
8a94fe218e7970839b83b53a824ebc47
48fe8b7c8ceb1575dcdb6cf9f717d322e3450b2a06d6fab3d05ca907048aa1cd
02430604d146e8e33554061344ca806e
f462439a4590e9ee053573639a82e36304897f0a695729990c108bce6518f556
18ab9a5bd68314b8a91070f18ca9c2c9097a3441b058edccd304b0e33d6c1422
f372b16ec015767320a8334b73405943b0222ea125241907235fd4f347832d0e
1e10203174fb1fcfb47bb00cac2fe6ffe660660839b7a2f53d8c0892845b0029
9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
60895bbfd40b902513afda50b28e80da
9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
0e0f720193204cbd1a2c847d76f9e82f
45bd30d3a52904a7fe64fd97c31e3a1c
892734d408626a9bb557346c5f80343d5f415e8e536f2aad30df74086865fe50
bca4cac80c436e813d93eba1b25257d0
c72f52813110685fe16af777f4ea5da2521270b4a906aae2fac98b746e3021ca
7ac1cb59cf1d5167b4f545c5a49f1c3db71493b448bd81a9a7ad7e25dcd7b943
da19f3c42361ac84642e936e61c149a1
6dea2bf9512f618e3316f58d4f830e2a5cd746b778b125a91403da02de691d89
ff37eb655a96b71e7dc08b4d91e1daea
5b5d21904d4874da9a31d456c5bcef8f
4a3e9f6b214effe5028a0bf36776190916621fd7977bf3720cb6ead34d9ee20d
dfacbcf7ef2a3080f9cd785329e7896b
5f704db7552a0b6b535b9c7c5f240664