{"id":511,"date":"2026-04-06T17:52:30","date_gmt":"2026-04-06T17:52:30","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=511"},"modified":"2026-04-06T17:52:30","modified_gmt":"2026-04-06T17:52:30","slug":"dprk-linked-hackers-use-github-as-c2-in-multi-stage-attacks-targeting-south-korea","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=511","title":{"rendered":"DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 06, 2026<\/span><\/span>Malware \/ Threat Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Threat\u00a0actors likely associated with the Democratic People’s Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South\u00a0Korea.<\/p>\n

The\u00a0attack chain,\u00a0per Fortinet FortiGuard\u00a0Labs<\/a>, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF document and a PowerShell script that sets the stage for the next phase of the attack. It’s assessed that these LNK files are distributed via phishing\u00a0emails.<\/p>\n

As\u00a0soon as the payloads are downloaded, the victim is displayed the PDF document, while the malicious PowerShell script runs silently in the background. The\u00a0PowerShell script performs checks to resist analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools. If\u00a0any of those processes are detected, the script immediately terminates.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Otherwise, it extracts a Visual Basic Script (VBScript) and sets up persistence using a scheduled task that launches the PowerShell payload every 30 minutes in a hidden window to sidestep detection. This\u00a0ensures that the PowerShell script is executed automatically after every system\u00a0reboot.<\/p>\n

The\u00a0PowerShell script then profiles the compromised host, saves the result to a log file, and exfiltrates it to a GitHub repository created under the account \u00abmotoralis\u00bb using a hard-coded access token. Some\u00a0of the GitHub accounts created as part of the campaign include \u00abGod0808RAMA,\u00bb \u00abPigresy80,\u00bb \u00abentire73,\u00bb \u00abpandora0009,\u00bb and \u00abbrandonleeodd93-blip.\u00bb<\/p>\n

The\u00a0script then parses a specific file in the same GitHub repository to fetch additional modules or instructions, thus allowing the operator to weaponize the trust associated with a platform like GitHub to blend in and maintain persistent control over the infected\u00a0host.<\/p>\n

Fortinet said that earlier iterations of the campaign relied on LNK files to spread malware families like Xeno RAT. It’s worth noting that the use of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented\u00a0by ENKI\u00a0and Trellix last year. These\u00a0attacks were attributed to a North Korean state-sponsored group known as\u00a0Kimsuky.<\/p>\n

\"\"<\/a><\/div>\n

\u00abInstead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence,\u00bb security researcher Cara Lin said. \u00abBy minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection\u00a0rate.\u00bb\u00a0<\/p>\n

The disclosure comes as\u00a0AhnLab detailed<\/a> a similar LNK-based infection chain from Kimsuky that ultimately results in the deployment of a Python-based\u00a0backdoor.<\/p>\n

The LNK files, as before, execute a PowerShell script and create a hidden folder in the\u00a0\u00abC:\\windirr\u00bb path to stage the payloads, including a decoy PDF and another LNK file that mimics a Hangul Word Processor (HWP) document. Also\u00a0deployed are intermediate payloads to set up persistence and launch a PowerShell script, which then uses Dropbox as a C2 channel to fetch a batch\u00a0script.<\/p>\n

The batch file then downloads two separate ZIP file fragments from a remote server (\u00abquickcon[.]store\u00bb) and combines them together to create a single archive and extracts from it an XML task scheduler and a Python backdoor. The\u00a0task scheduler is used to launch the\u00a0implant.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The Python-based malware supports the ability to download additional payloads and execute commands issued from the C2 server. The\u00a0instructions allow it to run shell scripts, list directories, upload\/download\/delete files, and run BAT, VBScript, and EXE\u00a0files.<\/p>\n

The findings also coincide\u00a0with ScarCruft’s shift from traditional LNK-based attack chains to an HWP OLE-based dropper to\u00a0deliver RokRAT, a remote access trojan exclusively used by the North Korean hacking group, per S2W. Specifically, the malware is embedded as an OLE object within an HWP document and executed via DLL side-loading.<\/p>\n

\u00abUnlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,\u00bb the South Korean security\u00a0company said<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 06, 2026Malware \/ Threat Intelligence Threat\u00a0actors likely associated with the Democratic People’s Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks…<\/p>\n","protected":false},"author":1,"featured_media":512,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[24,1092,71,338,248,504,483,431],"class_list":["post-511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attacks","tag-dprklinked","tag-github","tag-hackers","tag-korea","tag-multistage","tag-south","tag-targeting"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=511"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/511\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/512"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}