North Korean Threat Actors Deploy Phishing LNK Files with GitHub C2 to Target South Korean Organizations
What Happened — North‑Korea‑linked hackers have been sending phishing emails that contain malicious LNK shortcuts. When opened, the LNK drops a decoy PDF and a PowerShell script which pulls additional payloads from GitHub‑hosted command‑and‑control (C2) servers. The campaign, observed since 2024 and refined in 2025‑2026, uses heavy obfuscation and anti‑analysis checks to evade detection.
Why It Matters for TPRM —
- Attackers exploit legitimate cloud platforms (GitHub) to hide C2 traffic, complicating vendor monitoring.
- The use of LNK‑based delivery bypasses many email‑gateway controls, increasing the risk of credential theft and data exfiltration from third‑party environments.
- Persistent scheduled‑task implants can remain undetected for months, threatening the confidentiality and integrity of shared data.
Who Is Affected — Primarily South Korean enterprises across technology, finance, and manufacturing sectors; any organization that processes Korean‑language documents or collaborates with Korean partners is at risk.
Recommended Actions —
- Review email security policies to block LNK attachments and enforce sandbox analysis of shortcut files.
- Verify that all third‑party SaaS providers (including code‑hosting services) are monitored for anomalous outbound traffic to GitHub repositories.
- Harden PowerShell execution policies and implement strict logging of scheduled‑task creation.
Technical Notes — The LNK files embed a decoding routine (p1) that extracts a PDF and a PowerShell script. The script performs environment checks, decodes additional payloads, writes them to temporary folders, and establishes persistence via a hidden scheduled task. C2 communication occurs through multiple GitHub accounts (e.g., motoralis, God0808RAMA) using hidden repositories to exfiltrate system details. No specific CVE is cited; the attack leverages legitimate Windows functionality and cloud services. Source: Security Affairs