The infection chain begins with a file that appears to be a harmless document shortcut. Researchers said the LNK files were crafted to show decoy content, often a PDF, while silently launching PowerShell in the background. Earlier variants used simple obfuscation to hide GitHub addresses and access tokens, while later samples shifted to decoding routines inside the shortcut arguments, suggesting the operators have refined the method to make detection harder.
Fortinet’s FortiGuard Labs, which published one of the most detailed technical breakdowns of the campaign, said the activity targets users in South Korea and can be traced back to 2024. The researchers linked earlier variants to the spread of XenoRAT and said metadata in past samples overlapped across attacks, although the latest versions stripped out some of those identifiers. CSO Online, citing the Fortinet findings and outside expert comment, reported that the malware operators removed visible metadata in newer LNK files and leaned more heavily on covert script execution and GitHub-hosted payload retrieval.
Once launched, the PowerShell stage checks whether it is running in an analysis environment. The script scans for virtual machine processes, debuggers, forensic tools and network inspection software. If those artefacts are detected, the malware exits, a tactic designed to frustrate researchers and automated sandboxes. If the machine appears safe to abuse, the script reconstructs encoded strings, drops files into temporary folders and sets up persistence using a scheduled task that repeatedly runs a hidden VBScript.
Researchers said the campaign’s most striking feature is its use of GitHub as a covert command-and-control layer. Instead of contacting suspicious domains that might be blocked by security teams, the malware communicates with GitHub repositories and API endpoints, blending in with traffic that many corporate environments already trust. Fortinet said one hardcoded workflow uploaded victim reconnaissance logs to GitHub and then pulled additional PowerShell from a repository path, effectively turning the platform into both a dead drop and a control channel.
That approach reflects a broader pattern in state-linked and espionage-led hacking: abuse of widely used cloud and developer platforms to hide malicious activity in plain sight. South Korea has been a repeated target for such operations. Separate research published earlier this year by Darktrace described a different DPRK-linked campaign aimed at South Korean users that used trusted Microsoft infrastructure, while Trellix documented a 2025 espionage effort against embassies in Seoul that also used LNK files, PowerShell and GitHub to deliver malware. Those cases suggest that the latest campaign is part of an established playbook rather than a one-off technique.
Attribution remains a matter of assessment rather than public government confirmation, but the technical reporting points in the same direction. Fortinet described the campaign as DPRK-related, and several follow-up reports characterised it as North Korea-linked. Researchers noted repeated “Hangul Document” naming patterns in earlier files, a lure format often associated with clusters such as Kimsuky, APT37 and Lazarus. Even so, security analysts generally treat such overlaps as indicators of tradecraft rather than final proof of responsibility, especially when actors can borrow or imitate one another’s methods.
The campaign also underlines a growing challenge for defenders: the most effective intrusions do not always depend on exotic malware. Here, much of the operation uses tools already present in Windows, including shortcut files, PowerShell, scheduled tasks and scripts running in hidden windows. That keeps the number of dropped binaries low and narrows the visible footprint on disk. Analysts say that makes behavioural monitoring more important than simple signature-based blocking, particularly when outbound traffic goes to reputable domains such as GitHub.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
