A new cyber campaign linked to North Korea is using GitHub to hide malware operations and target users through deceptive LNK files.
- North Korea linked attackers are targeting users in South Korea using malicious LNK files.
- Attackers are abusing GitHub as a Command and Control channel to avoid detection.
- The campaign uses PowerShell, VBScript, and scheduled tasks instead of traditional malware files.
- Stolen system and network data can be used for deeper espionage or follow up attacks.
Security researchers have uncovered a new phishing campaign that uses Windows shortcut files to deliver hidden malware. The operation is linked to North Korea related threat actors and shows a clear evolution in stealth and execution techniques.
Victims are tricked into opening files that appear to be normal documents, but behind the scenes, a multi stage attack begins using trusted platforms like GitHub.
The attack begins with malicious LNK files disguised as documents, often themed around business reports or Korean companies. When opened, these files do more than launch a document.
They execute embedded scripts that drop a decoy PDF to mislead the user while silently launching a hidden PowerShell script in the background.
Earlier versions of these files were easier to detect because they contained visible metadata and simple obfuscation. However, newer variants now include:
- Encoded payloads embedded directly inside the file.
- Custom decoding functions using XOR logic.
- Removal of identifiable metadata to avoid tracking.
This shows a clear shift toward stronger evasion tactics.
Once executed, the PowerShell script performs several key actions to maintain stealth and control:
- Scans the system for debugging tools, virtual machines, and security software.
- Terminates itself if analysis tools like Wireshark or debuggers are detected.
- Decodes and deploys additional payloads into temporary folders.
- Uses VBScript to run processes in hidden mode.
The malware avoids dropping traditional executable files, instead relying on built in Windows tools. This technique significantly reduces detection by antivirus systems.
To maintain long term access, the attackers create a scheduled task that runs every 30 minutes. This task executes hidden scripts that keep the malware active even after system restarts.
The task names are designed to look legitimate, often resembling technical documents or reports, making them harder for users and admins to spot.
One of the most concerning aspects of this campaign is the use of GitHub as a Command and Control infrastructure.
Attackers use private repositories to:
- Send commands to infected systems.
- Upload stolen data such as system info and network details.
- Maintain a persistent communication channel using HTTPS.
Because GitHub is widely trusted and often allowed in corporate networks, this traffic blends in with normal activity. This makes detection extremely difficult.
Researchers also observed multiple GitHub accounts being used, with some staying inactive for months while others are activated when needed. This creates a resilient and flexible attack infrastructure.
The final stage of the attack ensures ongoing control. The malware regularly connects back to GitHub to:
- Fetch new instructions or additional payloads.
- Upload updated system and network logs.
- Track whether the infected machine is still active.
This allows attackers to monitor victims in real time and prepare for further exploitation, including deploying more advanced malware if required.
This campaign stands out because it avoids traditional malware patterns. Instead, it combines:
- Legitimate platforms like GitHub.
- Native Windows tools such as PowerShell and VBScript.
- Minimal use of suspicious files.
This approach creates a low noise attack chain that can bypass many standard security defenses. It also highlights a growing trend where attackers rely more on trusted services and built-in tools rather than custom malware.
Security experts recommend several steps to defend against such attacks:
- Monitor for unusual PowerShell and script activity.
- Restrict or closely inspect LNK file execution.
- Watch for suspicious scheduled tasks and hidden scripts.
- Analyze unexpected GitHub traffic, especially from non developer systems.
- Train employees to recognize phishing attempts and fake document files.
I think this campaign is a clear warning sign. Attackers are no longer relying on complex malware alone. They are getting smarter by using tools and platforms we already trust. That makes these attacks far more dangerous and harder to spot.
If companies continue to treat platforms like GitHub as automatically safe, they are leaving a big gap in their defenses. It is time to shift focus from just blocking malware to understanding behavior and intent.
