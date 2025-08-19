BleepingComputer reports that intrusions with the XenoRAT malware have been deployed against multiple European embassies across South Korea as part of a state-backed cyberespionage campaign that has been underway since March.
After initially targeting a Central European embassy in March, attackers believed to be North Korean state-backed threat group APT43, also known as Kimsuky, aimed to compromise a Western European embassy in May with an email involving the impersonation of a high-level EU delegation official before proceeding with U.S.-Korea military partnership lures in intrusions launched from June to July, according to an analysis from Trellix. Threat actors have sent malicious messages purporting to be official letters and meeting and event invitations containing password-protected ZIP files with a PDF-spoofing LNK file, which facilitates the delivery of XenoRAT. Aside from enabling keylogging, screenshot capturing, and webcam and microphone access, XenoRAT also allows file transfers and remote shell operations while ensuring persistence on targeted systems, said researchers, who also noted potential Chinese participation in the campaign owing to the timing of the attacks.
