GitHub Exploited by North Korean Campaigns for LNK Phishing Operations

A recently discovered initiative associated with North Korean state-backed threat groups is utilizing Windows shortcut files, referred to as LNK files, to carry out targeted phishing assaults against entities in South Korea.

What renders this initiative concerning is the method in which attackers obscure their actions within GitHub, one of the most reputable platforms online, transforming it into a stealthy Command and Control (C2) channel.

Given that GitHub is extensively trusted and frequently whitelisted in professional environments, the harmful traffic transmitted via it merges effortlessly with typical web activities.

This initiative can be traced back to at least 2024 but has developed more intricate tactics over time. Initial iterations of the LNK files featured less obfuscation and maintained metadata that enabled security analysts to monitor and link the attacks.

Those preceding variants were also tied to the spread of XenoRAT malware. Recently, the threat actors have refined their methods, integrating decoding functions directly within LNK file arguments and concealing encoded payloads within the files themselves.

Fake PDF documents are shown to victims upon infection, creating the illusion that a legitimate file has opened as usual while a harmful script operates discreetly in the background.

FortiGuard Labs researchers, led by analyst Cara Lin, identified this campaign, observing that the decoy PDF titles collected from attack samples imply that the threat actor is intentionally focusing on specific companies in South Korea as part of a wider surveillance endeavor.

Patterns in the metadata discovered within the LNK files, especially the naming convention “Hangul Document,” correspond with strategies employed by North Korean state-sponsored groups, including Kimsuky, APT37, and Lazarus.

This initiative has been classified as High severity, due to the potential for stolen data to enable subsequent attacks, with Microsoft Windows being the compromised platform.

The geographical emphasis and technical accuracy indicate a calculated, resourceful operation rather than haphazard criminal activity.

The threat actor meticulously crafted lure documents addressing topics pertinent to Korean business environments, such as financial proposals and strategic partnership contracts.

File names such as “TRAMS WINBOT AI Strategic Proposal.pdf.lnk” and “(CONFIDENTIAL) AIN x Mine Korea 2026.pdf.lnk” illustrate how carefully each decoy was designed to seem genuine and credible to the recipient.

The overarching aim seems to be long-term surveillance and intelligence gathering. By maintaining access through scheduled tasks that initiate every 30 minutes and utilizing private GitHub repositories to store compromised logs and receive updated commands, the attacker quietly monitors affected systems over time.

The assault commences when a victim accesses what appears to be a standard PDF document. The file is, in fact, an LNK shortcut that silently activates a PowerShell script.

“““html

A decoding function based on XOR within the LNK file retrieves both the misleading PDF and the harmful script, while the decoy document diverts the attention of the target.

Upon activation, the PowerShell script examines its surroundings for virtual machines, debugging tools, and forensic applications.

Should none be found, it drops a VBScript file and establishes a scheduled task to execute the payload every 30 minutes to maintain persistence.

The script then gathers OS version, startup time, and process data in operation, sending it to a repository controlled by the attacker on GitHub.

At the concluding phase, the malware retrieves fresh commands from GitHub, while a persistent script transmits live network data back to the attacker for real-time supervision.

Users and cybersecurity teams should approach unsolicited LNK and PDF files with caution, irrespective of their appearance.

Organizations should keep an eye out for suspicious PowerShell or VBScript operations, and any unpredicted outbound connections to GitHub API endpoints ought to be promptly examined.