North Korean Hackers Abuse GitHub in LNK Phishing Attacks
Key Takeaways North Korean state-sponsored threat actors are employing a sophisticated phishing campaign targeting South Korean organizations. The attacks utilize malicious Windows LNK shortcut files...
Key Takeaways
- North Korean state-sponsored threat actors are employing a sophisticated phishing campaign targeting South Korean organizations.
- The attacks utilize malicious Windows LNK shortcut files to initiate infections and leverage GitHub as a covert command-and-control (C2) channel.
- The campaign aims for long-term surveillance and intelligence gathering, exhibiting high severity due to potential data theft and follow-on attacks.
- The affected platform is Microsoft Windows, and the attacks exploit trust in legitimate platforms like GitHub and common file types such as PDFs.
State-sponsored North Korean hacking groups have launched a new phishing operation specifically targeting entities in South Korea. This campaign, meticulously detailed in a recent report by FortiGuard Labs researchers, exploits Windows shortcut (LNK) files to initiate malicious activity, uniquely employing GitHub as a command-and-control (C2) infrastructure.
Table Of Content
A primary concern with this campaign is the attackers’ ability to camouflage their operations within GitHub, a widely trusted internet platform. By transforming GitHub into a clandestine C2 channel, malicious traffic appears legitimate, easily bypassing network defenses that typically whitelist the platform in corporate environments.
The campaign’s origins trace back to at least 2024, demonstrating continuous evolution in its sophistication. Early iterations of the LNK files contained minimal obfuscation and retained metadata, allowing security researchers to track and link the attacks. These initial variants were also associated with the deployment of XenoRAT malware. More recently, the threat actor has advanced their techniques, embedding decoding functions directly within LNK file arguments and concealing encoded payloads within the files themselves.
During the infection process, victims are presented with decoy PDF documents. This tactic creates the illusion that a legitimate file has opened normally, while a malicious script executes silently in the background, unbeknownst to the user.
FortiGuard Labs, led by analyst Cara Lin, identified this campaign. They observed that the titles of decoy PDF documents retrieved from attack samples indicate a deliberate targeting of specific South Korean companies, suggesting a broader espionage objective.
Metadata patterns found within the LNK files, particularly the “Hangul Document” naming convention, bear strong resemblances to tactics previously employed by established North Korean state-sponsored groups, including Kimsuky, APT37, and Lazarus.
The campaign has been assigned a high severity rating. The potential for stolen data to facilitate subsequent attacks on Microsoft Windows systems underscores the critical nature of this threat.
The geographic specificity and technical precision of the operation suggest a well-funded, calculated effort rather than opportunistic cybercrime. The threat actor meticulously crafted lure documents to revolve around topics relevant to the South Korean business landscape, such as financial proposals and strategic partnership agreements.
Examples of these cunningly designed filenames include “TRAMS WINBOT AI Strategic Proposal.pdf.lnk” and “(CONFIDENTIAL) AIN x Mine Korea 2026.pdf.lnk”. These demonstrate the deliberate effort to make each decoy appear authentic and trustworthy to potential recipients.
The overarching goal of this campaign appears to be long-term surveillance and intelligence gathering. By establishing persistent access through scheduled tasks that trigger every 30 minutes, and by utilizing private GitHub repositories for exfiltrating stolen logs and receiving new instructions, the attackers maintain discreet monitoring of compromised systems over extended periods. Crucially, all communication occurs over encrypted HTTPS traffic to a trusted domain, allowing it to routinely bypass conventional perimeter defenses without triggering alerts.
Multi-Stage Infection Mechanism
The attack sequence begins when a user opens what appears to be a standard PDF document. In reality, this file is an LNK shortcut designed to silently execute a PowerShell script.
An XOR-based decoding function, embedded within the LNK file, is responsible for extracting both the decoy PDF and the malicious script. The decoy document serves to distract the victim, making them believe a legitimate file has opened.
Upon activation, the PowerShell script performs an initial environmental check, scanning for the presence of virtual machines, debuggers, and forensic tools. This anti-analysis measure helps the malware evade detection.
If no such tools are detected, the script proceeds to drop a VBScript file and establish a scheduled task. This task is configured to execute the payload every 30 minutes, ensuring persistence on the compromised system.
Subsequently, the script gathers critical system information, including the operating system version, boot time, and data on running processes. This collected intelligence is then uploaded to a GitHub repository controlled by the attackers.
In the final stage, the malware retrieves new instructions from the GitHub C2. Simultaneously, a “keep-alive” script transmits live network data back to the attacker, facilitating real-time monitoring of the compromised system.
What You Should Do
- Exercise extreme caution with unsolicited LNK and PDF files, regardless of their apparent legitimacy or sender.
- Implement robust endpoint detection and response (EDR) solutions to monitor for unusual PowerShell or VBScript activity.
- Routinely audit outbound network connections and investigate any unexpected traffic directed towards GitHub API endpoints.
- Educate users on the dangers of phishing, particularly those involving shortcut files and suspicious attachments.
- Maintain up-to-date operating systems and security software patches to mitigate known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.