DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

Summary

Threat actors associated with North Korea's Kimsuky group have been observed leveraging GitHub repositories as command-and-control infrastructure in targeted attacks against South Korean organizations. The attack chain begins with obfuscated Windows shortcut (LNK) files distributed via phishing emails that deploy a PowerShell script capable of profiling systems, establishing persistence via scheduled tasks, and exfiltrating data to GitHub accounts. The campaign demonstrates a shift toward using native Windows tools and legitimate platforms to evade detection while maintaining persistent control.

Full text

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Ravie LakshmananApr 06, 2026Malware / Threat Intelligence Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF document and a PowerShell script that sets the stage for the next phase of the attack. It's assessed that these LNK files are distributed via phishing emails. As soon as the payloads are downloaded, the victim is displayed the PDF document, while the malicious PowerShell script runs silently in the background. The PowerShell script performs checks to resist analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools. If any of those processes are detected, the script immediately terminates. Otherwise, it extracts a Visual Basic Script (VBScript) and sets up persistence using a scheduled task that launches the PowerShell payload every 30 minutes in a hidden window to sidestep detection. This ensures that the PowerShell script is executed automatically after every system reboot. The PowerShell script then profiles the compromised host, saves the result to a log file, and exfiltrates it to a GitHub repository created under the account "motoralis" using a hard-coded access token. Some of the GitHub accounts created as part of the campaign include "God0808RAMA," "Pigresy80," "entire73," "pandora0009," and "brandonleeodd93-blip." The script then parses a specific file in the same GitHub repository to fetch additional modules or instructions, thus allowing the operator to weaponize the trust associated with a platform like GitHub to blend in and maintain persistent control over the infected host. Fortinet said that earlier iterations of the campaign relied on LNK files to spread malware families like Xeno RAT. It's worth noting that the use of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix last year. These attacks were attributed to a North Korean state-sponsored group known as Kimsuky. "Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence," security researcher Cara Lin said. "By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate." The disclosure comes as AhnLab detailed a similar LNK-based infection chain from Kimsuky that ultimately results in the deployment of a Python-based backdoor. The LNK files, as before, execute a PowerShell script and create a hidden folder in the "C:\windirr" path to stage the payloads, including a decoy PDF and another LNK file that mimics a Hangul Word Processor (HWP) document. Also deployed are intermediate payloads to set up persistence and launch a PowerShell script, which then uses Dropbox as a C2 channel to fetch a batch script. The batch file then downloads two separate ZIP file fragments from a remote server ("quickcon[.]store") and combines them together to create a single archive and extracts from it an XML task scheduler and a Python backdoor. The task scheduler is used to launch the implant. The Python-based malware supports the ability to download additional payloads and execute commands issued from the C2 server. The instructions allow it to run shell scripts, list directories, upload/download/delete files, and run BAT, VBScript, and EXE files. The findings also coincide with ScarCruft's shift from traditional LNK-based attack chains to an HWP OLE-based dropper to deliver RokRAT, a remote access trojan exclusively used by the North Korean hacking group, per S2W. Specifically, the malware is embedded as an OLE object within an HWP document and executed via DLL side-loading. "Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload," the South Korean security company said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, GitHub, Malware, Phishing, powershell, Remote Access Trojan, Threat Intelligence Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• domain — quickcon.store
• malware — Xeno RAT
• malware — MoonPeak
• malware — RokRAT

Entities