North Korean Phishing Campaign Uses GitHub as Covert C2 Against South Korean Firms
FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows .lnk files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and vmtoolsd. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file.
The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as Kimsuky, APT37, and Lazarus.
Timeline
Apr 3, 2026
FortiGuard Labs publicly reports North Korea-linked GitHub C2 campaign
On April 3, 2026, FortiGuard Labs disclosed a high-severity espionage campaign attributed to North Korean state-sponsored actors, citing tradecraft and targeting patterns consistent with groups such as Kimsuky, APT37, and Lazarus.
Apr 3, 2026
Attackers evolve to GitHub-backed surveillance malware with persistence
The campaign shifted to more advanced LNK files that embed decoding logic and payload data, launch PowerShell and VBScript, perform anti-analysis checks, establish scheduled-task persistence, and use private GitHub repositories for command-and-control and data exfiltration.
Jan 1, 2024
Earlier campaign variants deliver XenoRAT via less-obfuscated LNK files
Researchers reported that earlier versions of the operation used less-obfuscated LNK samples associated with XenoRAT before the campaign evolved into more sophisticated surveillance-focused malware.
Jan 1, 2024
North Korea-linked LNK phishing campaign begins targeting South Korean firms
FortiGuard Labs said the espionage campaign has been active since at least 2024, using phishing lures with malicious Windows LNK files disguised as PDF documents to target organizations in South Korea.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
2 more from sources like hackread and cyber security news
Related Stories
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
1 months ago
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
1 months ago
Kimsuky Uses Malicious LNK Files to Deliver Python Backdoor
North Korea-linked threat group **Kimsuky** has been reported using malicious Windows shortcut (`.LNK`) files to initiate a **multi-stage infection chain** that ends with deployment of a **Python-based backdoor**. Reporting shared from both AhnLab and Excalibra indicates the campaign relies on weaponized LNK files as the initial access vector, with the malware delivery process evolving from earlier distribution patterns. The activity was attributed to Kimsuky in threat-intelligence reporting and social media amplification, with references also linking the cluster to **DPRK** operations and possible overlap or comparison with **Konni** tracking. While the cited summaries did not include victimology or technical indicators, they consistently described a shift in how the group distributes malware and highlighted the use of LNK-based social engineering to stage follow-on payloads.
1 weeks ago