{"id":7707,"date":"2026-04-06T12:02:36","date_gmt":"2026-04-06T12:02:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7707"},"modified":"2026-04-06T12:02:36","modified_gmt":"2026-04-06T12:02:36","slug":"north-korean-hackers-abuse-lnks-and-github-repos-in-ongoing-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7707","title":{"rendered":"North Korean hackers abuse LNKs and GitHub repos in ongoing campaign"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

DPRK-linked threat actors are preferring stealth over sophistication in targeting South Korean organizations, as researchers report the use of weaponized Windows shortcut (.LNK<\/a>) files and GitHub-based command-and-control (C2) channels in a new campaign.<\/p>\n

According to new Fortinet findings, a series of attacks that began in 2024 were found using a multi-stage scripting process and GitHub C2 to evade detection, with obfuscation improving with each iteration of the campaign.<\/p>\n

\u201cIn recent months, the threat actor has altered their tactics,\u201d Fortinet researchers said in a blog post<\/a>. \u201cThey now embed decoding functions within LNK arguments and include encoded payloads directly inside the files.\u201d The ongoing campaign seems to be targeted at expanding DPRK\u2019s surveillance within South Korea. The researchers noted that lesser obfuscation and heavier metadata in the previous iterations of the campaign allowed them to link it to attacks spreading the XenoRAT<\/a> malware.<\/p>\n

Jason Soroko, senior fellow at Sectigo, believes the strategy aligns with the recent trend of attackers relying on built-in Windows utilities and legitimate services to carry out their objectives. \u201cModern cyber espionage has fundamentally shifted toward a highly evasive strategy known as living off the land,\u201d he said, noting that attackers are increasingly abusing native tools like PowerShell and scheduled tasks to blend into normal system activity.<\/p>\n

LNK files are long known for<\/a> their history of exploitation, with Microsoft issuing multiple patches<\/a> and advisories<\/a> over the years to curb their misuse.<\/p>\n

<\/a>LNK files used as stealth loaders<\/h2>\n

The campaign begins its infection with a Windows shortcut file, which is typically used to launch applications or open documents, but can also embed commands to execute scripts or binaries.<\/p>\n

\u201cA .lnk file is how Windows handles shortcuts: Whenever you click on that Outlook icon on your desktop, you\u2019re actually clicking on a separate file that uses the Outlook image and directs the operating system to open up Microsoft Outlook,\u201d explained Jamie Boote, senior manager, strategic security consulting at Black Duck. \u201cYou can also create shortcut links (.lnk files) to websites, programs with additional commands, executable scripts, and just about anything else you could type into Windows\u2019s Run command window.\u201d<\/p>\n

The LNK files in the campaign use various scripts, including earlier versions with simple character concatenation to mask GitHub C2 address and the access token, the researchers said, adding that it was easy to determine that the script was meant to run a PowerShell command fetched from GitHub.<\/p>\n

Later versions shifted to basic character decoding functions, making detection a little trickier, but still had telling metadata like name, sizes, and modification dates that allowed researchers to connect it to the specific campaign. The name column repeatedly uses \u201cHangul document,\u201d a pattern consistent with state-affiliated groups like Kimsuky<\/a>, APT37<\/a>, and Lazarus<\/a>.<\/p>\n

In its latest iteration, the campaign operators have removed the identifying metadata, now using only a decoding function within the arguments.<\/p>\n

<\/a>GitHub as C2<\/h2>\n

Researchers also highlighted the campaign\u2019s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.<\/p>\n

\u201cThe fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors,\u201d Boote added.<\/p>\n

After infecting a system, the PowerShell scripts perform system checks to confirm the environment isn\u2019t under analysis, ensure the malware persists after system reboot through the Scheduled Task, and collect detailed system information. Only then is a stable connection attempted with subsequent scripts, where additional modules and instructions are fetched from the attacker\u2019s GitHub repository.<\/p>\n

The researchers flagged a GitHub account, \u201cmotoralis\u201d, with consistent activity dating back to 2025, and other less frequent accounts, including \u201cGod0808RAMA,\u201d \u201cPigresy80,\u201d \u201centire73,\u201d \u201cpandora0009,\u201d and \u201cbrandonleeodd93-blip.\u201d<\/p>\n

Additionally, the blog post shared a set of URLs and hash functions to support detection efforts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

DPRK-linked threat actors are preferring stealth over sophistication in targeting South Korean organizations, as researchers report the use of weaponized Windows shortcut (.LNK) files and GitHub-based command-and-control (C2) channels in a new campaign. According to new Fortinet findings, a series of attacks that began in 2024 were found using a multi-stage scripting process and GitHub […]<\/p>\n","protected":false},"author":0,"featured_media":7708,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7707"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7707"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7707\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7708"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}