A sophisticated cyber campaign linked to North Korean threat actors is actively targeting organizations in South Korea using malicious Windows shortcut (LNK) files. What makes this operation particularly concerning is the attackers’ ability to exploit trusted platforms like GitHub as covert command-and-control (C2) infrastructure.
Because GitHub is widely trusted and frequently whitelisted in enterprise environments, attackers can disguise malicious communication as legitimate traffic. As a result, this technique allows them to bypass traditional security defenses and remain undetected for extended periods.
According to researchers at FortiGuard Labs, led by Cara Lin, the campaign dates back to at least 2024. However, it has evolved significantly in both complexity and stealth. Earlier versions of the attack relied on simpler LNK files with minimal obfuscation, which allowed analysts to trace connections to malware like XenoRAT.
In contrast, recent variants demonstrate advanced evasion tactics. Attackers now embed decoding functions directly within LNK file arguments while concealing encoded payloads inside the files. Additionally, they display decoy PDF documents to victims, creating the illusion of a legitimate file opening while malicious scripts execute silently in the background.
Furthermore, analysis of file metadata reveals patterns such as the “Hangul Document” naming convention. These indicators closely align with tactics used by known North Korean groups like Kimsuky, APT37, and Lazarus Group. Consequently, experts believe this campaign is part of a broader intelligence-gathering effort rather than opportunistic cybercrime.
The attackers craft highly convincing lure documents tailored to Korean business environments. For example, filenames such as “TRAMS WINBOT AI Strategic Proposal.pdf.lnk” and “(CONFIDENTIAL) AIN x Mine Korea 2026.pdf.lnk” suggest a deliberate attempt to target specific organizations with relevant content.
Multi-Stage Infection Process
The attack begins when a user opens what appears to be a standard PDF file. In reality, the file is a disguised LNK shortcut that triggers a PowerShell script. This script uses XOR-based decoding to extract both the decoy document and the malicious payload.
Once executed, the malware checks the system for virtual machines, debugging tools, or forensic environments. If none are detected, it deploys a VBScript and establishes persistence through scheduled tasks that run every 30 minutes.
Subsequently, the malware collects system data, including OS details, boot time, and running processes. It then uploads this information to attacker-controlled GitHub repositories. In later stages, the malware retrieves additional instructions from GitHub while sending real-time network data to maintain continuous monitoring.
Since all communications occur over encrypted HTTPS connections to a trusted domain, the activity blends seamlessly with normal traffic, making detection extremely challenging.
Security Recommendations
To mitigate risks, organizations should treat unsolicited LNK and PDF files with caution, even if they appear legitimate. Additionally, monitoring unusual PowerShell or VBScript activity is critical. Security teams should also investigate unexpected outbound connections to GitHub API endpoints, as these may indicate hidden malicious activity.
Overall, this campaign highlights how advanced threat actors continue to weaponize trusted platforms, turning everyday tools into powerful cyber espionage channels.
Recommended Cyber Technology News:
- Zcash Privacy Platform Launched via Z Protocol & Core Deal
- Halcyon and HYCU Expand Cloud Security Against Attacks
- Platform Science Launches Trust Portal to Enhance Fleet Security Transparency
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
