North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms

North Korean threat actors, likely Kimsuky, conducted a cyber espionage campaign targeting diplomatic missions from March to July 2025. The campaign involved spear-phishing emails impersonating trusted contacts, leading to the delivery of the Xeno RAT malware via trusted cloud storage solutions. Additionally, North Koreans posing as remote IT workers infiltrated over 320 companies in the past year, utilizing AI tools and laptop farms to generate illicit revenue for the regime.