A series of malicious LNK files targeting users in South Korea has been detected using a multi-stage attack chain that uses GitHub as command and control infrastructure. The campaign relies on scripting, encoded payloads and legitimate Windows tools to maintain persistence while avoiding detection, with earlier versions dating back to 2024.
According to a new advisory published by Fortinet on 2 April 2026, recent variants show clear changes in tactics, including decoding functions embedded directly within LNK file arguments and encoded payloads inside the files themselves. Decoy PDF documents are used to distract victims while PowerShell scripts execute silently in the background, and the files appear legitimate when opened while the scripts run without the user’s knowledge.
In the second stage, the PowerShell script performs tasks such as checking for virtual machines or security analysis tools, decoding and storing additional payloads, creating scheduled tasks for persistence every 30 minutes, collecting system information, and uploading logs to GitHub repositories using hardcoded access tokens.
In the final stage, the malware maintains communication by continually connecting to GitHub repositories to download additional instructions or modules, with a keep-alive script uploading network configuration details. According to Jason Soroko, senior fellow at Sectigo, this represents a shift toward a highly evasive living-off-the-land strategy, while Jamie Boote, senior manager at Black Duck, notes that the attack demonstrates how legitimate infrastructure can become an attack surface.