North Korean Hackers Abuse GitHub to Spy on South Korean Firms

Summary

FortiGuard Labs uncovered a high-severity spying campaign attributed to North Korean state-sponsored groups (Kimsuky, APT37, or Lazarus) targeting South Korean companies since 2024. The attackers use LNK shortcut files, hidden PowerShell scripts, and legitimate GitHub repositories to evade detection while stealing sensitive system data from Windows users. The campaign leverages native Windows tools and GitHub's trusted infrastructure to maintain persistence and exfiltrate stolen data every 30 minutes via scheduled tasks.

Full text

Security Cyber AttacksNorth Korean Hackers Abuse GitHub to Spy on South Korean FirmsbyDeeba AhmedApril 3, 20263 minute read Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean hackers are using LNK files, hidden PowerShell scripts, and legitimate GitHub repositories to evade detection and steal sensitive system data from Windows users. A group of North Korean hackers has been caught using a clever trick to peek into the computers of various businesses across South Korea. While these attacks can be traced back to 2024, researchers at Fortinet’s FortiGuard Labs have found that the hackers recently updated their methods to be far more secretive, and the key targets are Microsoft Windows users, putting corporate environments at risk. The North Korean Connection Researchers noted that the fingerprints left behind in this campaign point toward North Korean state-sponsored groups like Kimsuky, APT37, or Lazarus. One of the biggest giveaways is the use of the label Hangul Document, a naming pattern famously used by these groups to target Korean users. These attackers are masters of social engineering. Instead of using one story, they employ multiple phishing themes, ranging from fake purchase orders to technical papers, to bait different employees. By switching up these lures, they can target a much broader audience with a higher success rate. Further investigation revealed they now avoid obvious malware, choosing instead to exploit native Windows tools like PowerShell, VBScript, and WScript. By using these built-in features to stay hidden, they can target a broad audience with a very low detection rate. The Trap The attack doesn’t start with a complex virus, but with a simple shortcut file known as an LNK file. To the average worker, these look like harmless office documents, but the moment a user double-clicks, a decoy PDF pops up to keep them occupied while a silent script dismantles the computer’s privacy in the background. Attack Chain (Source: Fortinet) This script, as per researchers, runs a health check for security tools like Wireshark, Fiddler, x64dbg, and Procmon, even searching for virtual environments like vmtoolsd. If it finds any of these, it shuts down instantly to avoid being studied. However, if the coast is clear, it uses a trick called an XOR key to scramble its code and hide from basic antivirus software. Hiding in the Cloud The most effective part of the operation is how the hackers communicate. Instead of relying on their own servers, they use GitHub to move data. Fortinet researchers identified accounts such as motoralis, Pigresy80, and brandonleeodd93-blip, where stolen information is stored in private repositories. Because GitHub is widely trusted, this traffic often passes through corporate security systems without being flagged. Attacker’s GitHub and Decoy PDF (Source: Fortinet) To maintain access, they set up a Scheduled Task disguised as a technical paper for the Creata Chain Task, which wakes the malware every 30 minutes. Researchers warned in the blog post that “this combination of legitimate tools and trusted web services creates a highly effective infection chain.” While earlier versions spread the XenoRAT malware, the current version focuses on deep surveillance. It steals OS versions, build numbers, and active process lists, sending a keep-alive log back to the hackers. Since these attacks exploit Windows’ own built-in tools, staying safe requires being cautious against any unexpected files. Expert Insights Several industry experts shared their thoughts on the campaign with Hackread.com. Jason Soroko, Senior Fellow at Sectigo, noted that modern cyber espionage has “shifted toward a highly evasive strategy known as living off the land.” He explained that “by relying on native utilities like PowerShell and scheduled tasks instead of dropping recognizable custom malware, these attackers turn a network’s own administrative functions against the organization.” Furthermore, Mr. Jamie Boote, Senior Manager at Black Duck, highlighted how “this attack demonstrates how malicious actors can turn legitimate infrastructure into a novel attack surface.” He pointed out that “the fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityFortiGuardGitHubLazarusNorth KoreaPowerShellSouth KoreaWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Crime Laws & Legalities Security US Sanctions Russian Exploit Broker Over Stolen US Cyber Tools The US Treasury targets Sergey Zelenyuk and his firm Operation Zero for the illegal trade of stolen government cyber tools following the sentencing of Peter Williams. byDeeba Ahmed Read More Security Python in Threat Intelligence: Analyzing and Mitigating Cyber Threats In the world of emerging cybersecurity threats, understanding the significance of threat intelligence is crucial and can not… byWaqas Read More Security Malware YouTube Channels Hacked to Spread Lumma Stealer via Cracked Software Lumma Stealer, a well-known threat to user credentials, has been actively promoted on the dark web and Telegram channels since 2022. byWaqas Read More Security Malware News AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs Undetected for Over 11 Months, AsyncRAT Lurked on Systems of Sensitive US Agencies with Critical Infrastructures, reports the… byDeeba Ahmed

Indicators of Compromise

• malware — XenoRAT

Entities