Full Report
Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF
Analysis Summary
# Threat Actor: Kimsuky (likely)
## Attribution & Identity
* **Actor Name:** Kimsuky
* **Aliases:** Velvet Chollima, Black Banshee, Thallium
* **Associated Groups:** Likely associated with the Democratic People's Republic of Korea (DPRK) state-sponsored apparatus. The report also mentions **ScarCruft** (APT37) in the context of evolving North Korean tactics.
## Activity Summary
Recent campaigns involve multi-stage attacks using obfuscated Windows shortcut (LNK) files distributed via phishing. These attacks leverage legitimate cloud services—specifically GitHub and Dropbox—as command-and-control (C2) infrastructure to bypass security perimeters. The goal is long-term persistence and information exfiltration from South Korean targets.
## Tactics, Techniques & Procedures
* **Phishing:** Initial delivery via malicious emails containing LNK files.
* **Deceptive File Types:** Use of LNK files mimicking PDFs or Hangul Word Processor (HWP) documents.
* **Living off the Land (LotBins):** Extensive use of PowerShell, VBScript, and Batch files to minimize the footprint of executable (PE) files.
* **Anti-Analysis:** PowerShell scripts scan for virtual machines, debuggers, and forensic tools before execution.
* **Persistence:** Use of Windows Scheduled Tasks to execute payloads every 30 minutes.
* **Cloud-based C2:**
* Using GitHub API with hard-coded access tokens for data exfiltration and instruction fetching.
* Using Dropbox to fetch secondary batch scripts.
* **MITRE ATT&CK IDs:**
* T1204.001 - User Execution: Malicious Link
* T1059.001 - Command and Scripting Interpreter: PowerShell
* T1053.005 - Scheduled Task/Job: Scheduled Task
* T1102.002 - Web Service: Bidirectional Communication (GitHub/Dropbox)
* T1027 - Obfuscated Files or Information
## Targeting
* **Sectors:** Organizations in South Korea, Diplomatic entities, Web3/Crypto (historical).
* **Geography:** South Korea.
* **Victims:** Unspecified organizations in South Korea.
## Tools & Infrastructure
* **Malware Families:**
* **Xeno RAT** and its variant **MoonPeak**.
* **RokRAT** (Specifically linked to ScarCruft/APT37).
* Python-based backdoors.
* **Infrastructure:**
* **GitHub Accounts:** `motoralis`, `God0808RAMA`, `Pigresy80`, `entire73`, `pandora0009`, `brandonleeodd93-blip`.
* **C2 Domains:** `quickcon[.]store`.
* **Legitimate Services:** GitHub, Dropbox, Zoho WorkDrive (historical).
## Implications
The shift toward using legitimate platforms like GitHub for C2 allows threat actors to blend into normal network traffic, making detection via traditional firewall or DNS filtering difficult. By relying on native Windows tools (LotBins), Kimsuky reduces the likelihood of antivirus detection and complicates forensic attribution.
## Mitigations
* **Disable/Restrict LNK Files:** Monitor or block the execution of LNK files from atypical directories (e.g., Downloads, Temp).
* **PowerShell Monitoring:** Enable PowerShell "Constrained Language Mode" and implement script block logging to identify obfuscated commands.
* **Cloud Service Auditing:** Monitor network traffic to GitHub and Dropbox for suspicious API patterns or large data transfers from unauthorized accounts.
* **Employee Awareness:** Train staff to identify phishing attempts that use "double extensions" or legitimate-looking decoy documents (PDF/HWP).
* **Endpoint Detection:** Implement EDR solutions that alert on the creation of scheduled tasks that launch hidden PowerShell windows.