A sophisticated phishing campaign attributed to North Korean state-sponsored actors is leveraging Windows shortcut files (LNK) to infiltrate organizations, primarily in South Korea. This operation is notable for its covert use of GitHub as a command and control (C2) channel, a platform widely trusted and often whitelisted by corporate security systems, allowing malicious traffic to blend in with legitimate activity. The campaign has been active since at least 2024, exhibiting increasing technical prowess over time.
Researchers at FortiGuard Labs have detailed how the threat actor has evolved its methods, embedding decoding functions within LNK file arguments and hiding encoded payloads. Upon execution, victims are presented with decoy PDF documents, creating the illusion of a normal file opening while a malicious script operates in the background. These elaborate decoy documents, often referencing financial proposals and strategic partnership agreements, are carefully crafted to appear authentic to recipients in Korean business contexts, suggesting a targeted surveillance and intelligence-gathering objective.
North Korea-Related Campaign Abuses GitHub for C2 in LNK Phishing Attacks
The ongoing campaign, identified by FortiGuard Labs analysts, utilizes metadata patterns in the LNK files, such as the naming convention “Hangul Document,” which aligns with tactics previously observed from North Korean state-sponsored groups like Kimsuky, APT37, and Lazarus. This geographic focus and technical execution suggest a deliberate, well-resourced operation rather than opportunistic cybercrime. The campaign has been classified as High severity due to the potential for stolen data to fuel subsequent attacks.
The attack chain begins when a victim opens a seemingly innocuous PDF file, which is in reality an LNK shortcut. This shortcut silently executes a PowerShell script. The LNK file itself contains an XOR-based decoding function responsible for extracting both the decoy PDF and the malicious script, effectively masking the malicious payload while the decoy distracts the user.
Multi-Stage Infection Mechanism and Persistence
Once activated, the PowerShell script performs anti-analysis checks, looking for signs of virtual machines, debuggers, or forensic tools. If no such indicators are found, the script proceeds to drop a VBScript file onto the compromised system. To ensure persistence, it then establishes a scheduled task that triggers the malicious payload every 30 minutes.
Following the persistence mechanism, the script gathers critical system information, including the operating system version, boot time, and a list of running processes. This collected data is then exfiltrated to a GitHub repository controlled by the attackers. In the final stage of the infection, the malware retrieves new instructions from the compromised GitHub repository. Simultaneously, a separate keep-alive script transmits live network data to the attacker, enabling real-time monitoring of the compromised environment.
The use of private GitHub repositories for storing stolen logs and receiving instructions, coupled with communication over encrypted HTTPS traffic to a trusted domain, allows the threat actor to maintain a low profile and evade detection by standard security perimeter defenses. This sophisticated approach to Command and Control (C2) operations highlights the evolving tactics of state-sponsored threat actors.
To mitigate the risks associated with such attacks, users and security teams should exercise extreme caution with unsolicited LNK and PDF files, regardless of their apparent authenticity. Monitoring environments for unusual PowerShell or VBScript activity is crucial. Additionally, any unexpected outbound connections to GitHub API endpoints warrant immediate investigation. The sustained nature and technical sophistication of this campaign underscore the persistent threat posed by North Korean-linked cyber operations.