THREAT actors likely associated with the Democratic People’s Republic of Korea have been observed using GitHub as a command-and-control (C2) infrastructure in multi-stage attacks targeting organisations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files that drop a decoy PDF and a PowerShell script, with phishing used to distribute the LNKs.
After download, the PowerShell script runs to set up persistence via a scheduled task that launches the payload every 30 minutes in a hidden window to evade detection. The PowerShell stage then profiles the host, saves a log, and exfiltrates it to a GitHub repository created under the account “motoralis” using a hard-coded access token, with several GitHub accounts named in the campaign such as God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip.
The campaign leverages GitHub to blend in and maintain control, and earlier iterations of the chain involved Xeno RAT and related activity documented by ENKI and Trellix, attributed to Kimsuky. The findings also reference a shift by ScarCruft to alternative dropper methods, including an HWP-based LNK chain for RokRAT.