A state-sponsored espionage campaign targets foreign embassies in South Korea using XenoRAT malware, involving sophisticated phishing tactics over several months. While sharing methods with North Korean group Kimsuky, evidence suggests Chinese involvement, highlighting complex international cyber espionage efforts. #Kimsuky #XenoRAT
Keypoints
- The campaign has been active since March, launching at least 19 spearphishing attacks.
- Targets include European embassies in Seoul, with themes related to diplomatic and military issues.
- Emails used malicious archives from cloud services to deliver obfuscated PowerShell code and XenoRAT malware.
- XenoRAT provides extensive remote control capabilities, including keystroke logging and webcam access.
- While resembling North Korean TTPs, activity timing suggests a China-based threat actor, with moderate confidence of Kimsuky involvement.