The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

    Tuesday, August 19, 2025 In: Threat Research Print

    Date: 08/19/2025

    Severity: High

    Summary

    A research center uncovered a DPRK-linked espionage campaign targeting diplomatic missions in South Korea in early 2025. Between March and July, at least 19 spear-phishing attacks impersonated trusted contacts to lure embassy staff. Attackers used GitHub for covert C2 communications and cloud platforms like Dropbox to deliver XenoRAT malware. Infrastructure links tie the operation to the Kimsuky group, matching known DPRK espionage tools and servers.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0

    https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0

    https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0

    https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0

    https://bp.nidnaver.cloud/info.php

    https://bp.nidnaver.cloud/forbhmypresent.66ghz.com/dn.php

    IP Address : 

    141.164.49.250

    141.164.40.239

    158.247.230.196

    141.164.41.17

    165.154.52.140

    165.154.52.210

    141.164.49.250

    158.247.249.243

    Hash : 

    1e10203174fb1fcfb47bb00cac2fe6ffe660660839b7a2f53d8c0892845b0029

    cf2cba1859b2df4e927b8d52c630ce7ab6700babf9c7b4030f8243981b1a04fa

    4bfd068156adbcaa9c9701abbd72d21c0174f7ce6d3563962891e0538f6a36a7

    9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62

    9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321

    48fe8b7c8ceb1575dcdb6cf9f717d322e3450b2a06d6fab3d05ca907048aa1cd

    c72f52813110685fe16af777f4ea5da2521270b4a906aae2fac98b746e3021ca

    f372b16ec015767320a8334b73405943b0222ea125241907235fd4f347832d0e

    892734d408626a9bb557346c5f80343d5f415e8e536f2aad30df74086865fe50

    f462439a4590e9ee053573639a82e36304897f0a695729990c108bce6518f556

    6dea2bf9512f618e3316f58d4f830e2a5cd746b778b125a91403da02de691d89

    4a3e9f6b214effe5028a0bf36776190916621fd7977bf3720cb6ead34d9ee20d

    7ac1cb59cf1d5167b4f545c5a49f1c3db71493b448bd81a9a7ad7e25dcd7b943

    18ab9a5bd68314b8a91070f18ca9c2c9097a3441b058edccd304b0e33d6c1422

    90f53ae46c789884cfddc0d1d8f1ee7f8c4662b899fce51d5b01e94848554072

    8b605de9d28c8c6477a996d4e5873e4e

    5f704db7552a0b6b535b9c7c5f240664

    5b5d21904d4874da9a31d456c5bcef8f

    488570af25f908e907c9732aae632b0f

    bca4cac80c436e813d93eba1b25257d0

    02430604d146e8e33554061344ca806e

    25595588106848b2054497ceba1a2d66

    ff37eb655a96b71e7dc08b4d91e1daea

    0e0f720193204cbd1a2c847d76f9e82f

    45bd30d3a52904a7fe64fd97c31e3a1c

    60895bbfd40b902513afda50b28e80da

    dfacbcf7ef2a3080f9cd785329e7896b

    8a94fe218e7970839b83b53a824ebc47

    da19f3c42361ac84642e936e61c149a1

    752b8fc6f69c8153d6945ff608ae6b4e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0" or url like "https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0" or siteurl like "https://dl.dropboxusercontent.com/scl/fi/c6ba7iwuke57d75j3mmte/eula.rtf?rlkey=t0jnirhxk48xdu8p74rqgv9dw&st=oofgjsq8&dl=0" or domainname like "https://bp.nidnaver.cloud/forbhmypresent.66ghz.com/dn.php" or url like "https://bp.nidnaver.cloud/forbhmypresent.66ghz.com/dn.php" or siteurl like "https://bp.nidnaver.cloud/forbhmypresent.66ghz.com/dn.php" or domainname like "https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0" or url like "https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0" or siteurl like "https://dl.dropbox.com/scl/fi/sb19vsslj13wdkndskwuou/eula.rtf?rlkey=axrb5o5mv14afu7g6e8s3d5s8&st=xy96nggc&dl=0" or domainname like "https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0" or url like "https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0" or siteurl like "https://dl.dropbox.com/scl/fi/kpxdthefmdbxw9m31tao3/krumhan.rtf?rlkey=yhzti914uzn72wm4iruej24px&st=xjzyd4ip&dl=0" or domainname like "https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0" or url like "https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0" or siteurl like "https://dl.dropbox.com/scl/fi/4pydbg08752rsw6us7e5x/bobokan.rtf?rlkey=b49lxndnjvigz58o7ptwqrsbm&st=9rtwns0x&dl=0" or domainname like "https://bp.nidnaver.cloud/info.php"or url like "https://bp.nidnaver.cloud/info.php" or siteurl like "https://bp.nidnaver.cloud/info.php"

    IP Address : 

    dstipaddress IN ("158.247.230.196","141.164.41.17","141.164.49.250","141.164.40.239","165.154.52.140","165.154.52.210","141.164.49.250","158.247.249.243") or srcipaddress IN ("158.247.230.196","141.164.41.17","141.164.49.250","141.164.40.239","165.154.52.140","165.154.52.210","141.164.49.250","158.247.249.243")

    Hash 1: 

    sha256hash IN ("4a3e9f6b214effe5028a0bf36776190916621fd7977bf3720cb6ead34d9ee20d","1e10203174fb1fcfb47bb00cac2fe6ffe660660839b7a2f53d8c0892845b0029","cf2cba1859b2df4e927b8d52c630ce7ab6700babf9c7b4030f8243981b1a04fa","4bfd068156adbcaa9c9701abbd72d21c0174f7ce6d3563962891e0538f6a36a7","9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62","9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321","48fe8b7c8ceb1575dcdb6cf9f717d322e3450b2a06d6fab3d05ca907048aa1cd","c72f52813110685fe16af777f4ea5da2521270b4a906aae2fac98b746e3021ca","f372b16ec015767320a8334b73405943b0222ea125241907235fd4f347832d0e","892734d408626a9bb557346c5f80343d5f415e8e536f2aad30df74086865fe50","f462439a4590e9ee053573639a82e36304897f0a695729990c108bce6518f556","6dea2bf9512f618e3316f58d4f830e2a5cd746b778b125a91403da02de691d89","7ac1cb59cf1d5167b4f545c5a49f1c3db71493b448bd81a9a7ad7e25dcd7b943","18ab9a5bd68314b8a91070f18ca9c2c9097a3441b058edccd304b0e33d6c1422","90f53ae46c789884cfddc0d1d8f1ee7f8c4662b899fce51d5b01e94848554072")

    Hash 2 : 

    md5hash IN ("dfacbcf7ef2a3080f9cd785329e7896b","8b605de9d28c8c6477a996d4e5873e4e","5f704db7552a0b6b535b9c7c5f240664","5b5d21904d4874da9a31d456c5bcef8f","488570af25f908e907c9732aae632b0f","bca4cac80c436e813d93eba1b25257d0","02430604d146e8e33554061344ca806e","25595588106848b2054497ceba1a2d66","ff37eb655a96b71e7dc08b4d91e1daea","0e0f720193204cbd1a2c847d76f9e82f","45bd30d3a52904a7fe64fd97c31e3a1c","60895bbfd40b902513afda50b28e80da","8a94fe218e7970839b83b53a824ebc47","da19f3c42361ac84642e936e61c149a1","752b8fc6f69c8153d6945ff608ae6b4e")

    Reference:

    https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/


    Tags

    MalwareRATPhishingSpear PhishingDPRKXenoRATKimsukySouth Korea

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.