A North Korea-linked hacker group carried out a months-long espionage campaign against foreign embassies in South Korea, disguising its attacks as routine diplomatic correspondence, researchers found.

The operation, active since March and still ongoing, is believed to be linked to North Korea’s Kimsuky group, also known as APT43, and has targeted at least 19 embassies and foreign ministries, according to a report published this week by cybersecurity firm Trellix.

Although the campaign was attributed to Pyongyang-backed hackers, the report suggests possible ties to China. The hackers’ activity closely aligned with Chinese working hours and paused during Chinese national holidays, but not during North or South Korean holidays. These patterns raise the possibility that the group is operating from Chinese territory or relying on Chinese contractors, Trellix said.

The attackers posed as foreign diplomats and officials, sending emails that appeared to include meeting minutes, letters from ambassadors, or event invitations. Attachments disguised as PDFs inside password-protected ZIP files deployed a variant of the XenoRAT remote access trojan, giving hackers full control of infected systems.

“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence. Many emails included official signatures, diplomatic terminology, and references to real events,” the researchers said. “Such precise timing and context significantly increased the likelihood that targets would open malicious attachments.”

One phishing email impersonated a U.S. Embassy protocol officer with an invite to an Independence Day event, while others spoofed European diplomats or promoted international forums. Trellix said it identified decoy documents crafted in multiple languages, including Korean, English, Persian, Arabic, French and Russian.

The malware used in the campaign, XenoRAT, is an open-source remote access trojan with advanced features, including remote control, keystroke logging and access to the webcam and microphone.

Once installed on victims’ devices, the malware gathered detailed information about their systems and exfiltrated the data through GitHub’s developer platform to evade detection. The attackers also relied on Dropbox, Google Drive and Korean services such as Daum to host malicious files, Trellix said.

Image: Trellix

Kimsuky has been active since at least 2012, targeting governments, think tanks, academics, and media organizations across Asia, Europe, Japan, Russia and the United States. In 2023, Washington and its Pacific allies imposed sanctions on the group, accusing it of collecting intelligence to support North Korea’s foreign policy and sanctions-evasion efforts.

U.S. officials have previously said North Korean cyber units often operate abroad, including from China and Russia, to avoid sanctions. Trellix said its findings support the view that while the latest campaign is linked to Kimsuky, the operators may be based in China or culturally Chinese.