Phishing LNK files and GitHub C2 power new DPRK cyber attacks

Pierluigi Paganini
April 06, 2026

DPRK-linked hackers use GitHub C2s, starting attacks via phishing LNK files that drop a PDF and PowerShell script in South Korea.

North Korea-linked threat actors target South Korean organizations using GitHub as C2 servers. The attack chain starts with phishing emails carrying obfuscated LNK files that drop a decoy PDF and a PowerShell script to advance the intrusion.

“FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection.” reads the report published by FortiGuard Labs. “Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.”

The attacker recently changed tactics, embedding decoding functions and encoded payloads directly in LNK files. Decoy PDF titles show a focus on targeting companies in South Korea to expand surveillance.

Attackers use LNK files with embedded scripts to launch PowerShell commands from GitHub. Early versions hid C2 data with simple obfuscation, while later ones added decoding functions and shared metadata like “Hangul Document.” In recent attacks, they removed metadata and used encoded payloads. The LNK drops a decoy PDF to distract victims while the malicious script runs silently.

“In the latest attacks, the threat actor has removed this identifying metadata, leaving only a decoding function within the arguments.” reads the report published by FortiGuard Labs. “This function p1 takes three parameters: location, length, and an XOR key. It first defines a path to drop the decoy PDF, then decodes both the PDF and a PowerShell script for the next stage of the attack.”

The PowerShell script runs checks to detect analysis tools and stops if it finds them, helping attackers to remain under the radar. It then decodes payloads, stores them in temporary folders, and creates persistence using a scheduled task that runs silently.

The script collects system details and sends them to GitHub using hidden repositories.

Attackers rely on multiple accounts, both active and dormant, to manage operations and avoid detection while continuing data exfiltration.

“Our investigation into this GitHub account, motoralis, reveals consistent activity dating back to 2025, which matches our threat-hunting results on earlier LNK file variants. Other activities involve multiple GitHub accounts in similar attacks, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip.” continued the report. “A broader analysis of the attacker’s infrastructure reveals a strategic use of both dormant and active accounts. While some accounts, like entire73, remain largely inactive for months, others, like brandonleeodd93-blip, were activated just weeks ago to provide immediate redundancy. The motoralis account functions as the primary operational hub, showing a surge in private repository contributions that closely align with the recent spike in LNK-based phishing lures. By conducting all activity within private repositories, the threat actor effectively conceals their malicious payloads and exfiltrated logs from public view while leveraging the high reputation of the GitHub domain to stay under the radar of corporate security filters.”

In the final stage, the script keeps a stable link with the C2 by regularly pulling commands from GitHub. It uses scheduled tasks to stay active and let attackers run actions remotely.

“We identified a “keep-alive” script used by the attacker to stay visible. This script specifically gathers network configuration details and uploads them to GitHub using the PUT method. The logs are stored at: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/jjyun/network/<Date>_<Time>-<IP_Address>-Real.log.” continues the report. “This automated check-in allows the threat actor to monitor the victim’s network status in real-time, enabling further actions or more in-depth exploitation within the compromised environment.”

A keep-alive script collects network details and uploads logs to GitHub, allowing real-time monitoring and further exploitation of the compromised system.

This campaign relies on strong social engineering and multiple phishing lures. Instead of complex malware, the attacker uses built-in Windows tools and LolBins to stay stealthy and reduce detection.

They abuse GitHub as C2, hiding malicious traffic in normal encrypted connections. Since many networks trust GitHub, data exfiltration often goes unnoticed. This mix of legit tools and services makes detection difficult, so monitoring unusual scripting activity is key.

“This combination of legitimate tools and trusted web services creates a highly effective infection chain. To stay protected, users should stay alert against untrusted documents and monitor for unusual PowerShell or VBScript activity in their environments.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon