Ethical Hacking News
Threat actors associated with the Democratic People's Republic of Korea (DPRK) have been identified as utilizing GitHub as a command-and-control infrastructure in a series of sophisticated multi-stage attacks targeting organizations in South Korea. The attack chain, which involves obfuscated Windows shortcut files and PowerShell scripts, demonstrates the group's continued efforts to evolve their tactics and techniques in order to evade detection.
The use of native Windows tools for deployment, evasion, and persistence underscores the sophistication of these attacks, while the deployment of malware families via legitimate software channels raises concerns about the potential for widespread compromise. As Kimsuky continues to shift its TTPs, it is essential that organizations prioritize incident response capabilities and stay informed about emerging threats in order to effectively mitigate their impact.
Threat actors associated with North Korea have been using GitHub as a command-and-control (C2) infrastructure in multi-stage attacks targeting South Korea. The attacks use obfuscated Windows shortcut files to distribute decoy PDF documents and PowerShell scripts. The scripts evade analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools. The scripts extract a Visual Basic Script (VBScript) and set up persistence using a scheduled task to launch the script every 30 minutes. The PowerShell script exfiltrates logs to a GitHub repository created under the account "motoralis" using a hard-coded access token. Security researchers note that the attackers use native Windows tools for deployment, evasion, and persistence, minimizing detection rates.
Threat actors associated with the Democratic People's Republic of Korea (DPRK) have been identified as utilizing GitHub as a command-and-control (C2) infrastructure in a series of multi-stage attacks targeting organizations in South Korea. According to Fortinet FortiGuard Labs, these attacks utilize obfuscated Windows shortcut (LNK) files as the initial point of entry to distribute decoy PDF documents and PowerShell scripts that set the stage for subsequent phases of the attack.
The LNK files are believed to be distributed via phishing emails, with the contents of the email serving as a vector for the initial payload. Once the payload is downloaded, the victim is presented with a PDF document while the malicious PowerShell script runs silently in the background. The PowerShell script performs various checks to evade analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools.
If any of these processes are detected, the script immediately terminates. Otherwise, it extracts a Visual Basic Script (VBScript) and sets up persistence using a scheduled task that launches the PowerShell payload every 30 minutes in a hidden window to sidestep detection. This ensures that the PowerShell script is executed automatically after every system reboot.
The PowerShell script then profiles the compromised host, saves the result to a log file, and exfiltrates it to a GitHub repository created under the account "motoralis" using a hard-coded access token. Some of the GitHub accounts created as part of this campaign include "God0808RAMA," "Pigresy80," "entire73," "pandora0009," and "brandonleeodd93-blip."
The script then parses a specific file in the same GitHub repository to fetch additional modules or instructions, thus allowing the operator to weaponize the trust associated with a platform like GitHub to blend in and maintain persistent control over the infected host. Fortinet noted that earlier iterations of this campaign relied on LNK files to spread malware families like Xeno RAT. The use of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix last year, with these attacks being attributed to a North Korean state-sponsored group known as Kimsuky.
Security researcher Cara Lin stated that instead of utilizing complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate. This is particularly concerning given the sophistication of the attack chain and the fact that it relies on exploiting common vulnerabilities in software distribution channels.
AhnLab detailed a similar LNK-based infection chain from Kimsuky that ultimately results in the deployment of a Python-based backdoor. The LNK files, as before, execute a PowerShell script and create a hidden folder in the "C:\windirr" path to stage payloads, including a decoy PDF document and another LNK file that mimics a Hangul Word Processor (HWP) document. Also deployed are intermediate payloads to set up persistence and launch a PowerShell script that uses Dropbox as a C2 channel to fetch a batch script.
The batch file then downloads two separate ZIP file fragments from a remote server ("quickcon[.]store") and combines them together to create a single archive and extracts from it an XML task scheduler and a Python backdoor. The task scheduler is used to launch the implant. The Python-based malware supports the ability to download additional payloads and execute commands issued from the C2 server, including running shell scripts, listing directories, uploading/download/delete files, and running BAT, VBScript, and EXE files.
The findings coincide with ScarCruft's shift from traditional LNK-based attack chains to an HWP OLE-based dropper to deliver RokRAT, a remote access trojan exclusively used by the North Korean hacking group. The malware is embedded as an OLE object within an HWP document and executed via DLL side-loading.
This marks a significant evolution in the tactics, techniques, and procedures (TTPs) employed by Kimsuky, with the use of GitHub C2 to distribute malware families indicating a desire to blend in with legitimate software development channels. The deployment of native Windows tools for deployment, evasion, and persistence highlights the group's efforts to minimize the detection rate of their attacks.
The sophistication of these attacks underscores the need for increased vigilance on the part of organizations operating in South Korea and globally, as well as a concerted effort to improve incident response capabilities. As threats continue to evolve at an unprecedented pace, it is essential that organizations stay informed about emerging trends and develop effective strategies to mitigate the impact of malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/DPRK-Linked-Hackers-Exploit-GitHub-as-Command-and-Control-Infrastructure-in-Sophisticated-Multi-Stage-Attacks-Against-South-Korea-ehn.shtml
https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html
https://www.fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
https://attack.mitre.org/groups/G0094/
Published: Mon Apr 6 13:22:15 2026 by llama3.2 3B Q4_K_M
