DPRK-linked threat actors have used GitHub as command and control infrastructure in multi-stage attacks against organizations in South Korea, according to a technical analysis by Fortinet FortiGuard Labs. The campaign used obfuscated Windows shortcut files, phishing emails and GitHub repositories to collect host data and deliver further instructions.
KEY FACTS
- Initial access Obfuscated LNK files were used to drop a decoy PDF and a PowerShell script.
- Evasion The script checked for virtual machines, debuggers and forensic tools before continuing.
- Persistence A scheduled task relaunched the PowerShell payload every 30 minutes in a hidden window.
- C2 The malware sent host details to a GitHub repository under the account “motoralis.”
- Related activity Other North Korea-linked campaigns used GitHub, Dropbox and Python-based backdoors.
After the files were opened, the victim saw the decoy PDF while the PowerShell script ran in the background. The script created a VBScript, set up persistence and saved a host profile to a log file before uploading it to GitHub with a hard-coded access token. It also pulled additional modules or instructions from the same repository.
Fortinet said earlier versions of the campaign used LNK files to spread malware families including Xeno RAT. The report also noted GitHub-based command and control for Xeno RAT and MoonPeak in earlier cases tied to Kimsuky. Separately, AhnLab’s advisory described a similar LNK infection chain that deployed a Python backdoor and used Dropbox as a command channel.
In that chain, the LNK files created a hidden folder under C:\windirr, staged a decoy HWP-looking file and fetched a batch script. The batch script combined ZIP fragments, extracted a task scheduler file and a Python backdoor, and then used the scheduler to launch the implant. The malware could download more payloads and run shell commands, file operations and several script and executable types.
The findings came as ScarCruft shifted from older LNK-based delivery to an HWP OLE-based dropper to deliver RokRAT, a remote access trojan linked to the group. The South Korean company behind that disclosure said the newer chain used a developed dropper and downloader to deliver shellcode and the RokRAT payload.
WHY IT MATTERS
The abuse of widely trusted platforms such as GitHub and Dropbox can make malicious traffic harder to spot and block. The campaigns also show continued use of living-off-the-land tools and document-based lures to reach South Korean targets while limiting the need for custom malware.