GitHub-Hosted Malware Delivered Through LNK Files In South Korea Attack Wave

A complex phishing campaign is going after businesses in South Korea. It uses bad Windows shortcut (LNK) files and GitHub as a secret Command and Control (C2) network. Researchers think that this behavior is linked to North Korean state-sponsored hackers, who often use these kinds of methods for spying and surveillance.

The LNK infection chain starts when workers at a company open a bad LNK file. When you click on this function, it decodes and drops a fake PDF file to make the victim think the file opened normally. The most interesting thing about the campaign is how it uses real public infrastructure. Instead of setting up shady external servers, the criminals upload stolen system logs to certain private GitHub repositories using hardcoded access tokens.

Threat actors protect their payloads from public view by doing bad things in private repositories. Attackers can run campaigns with much lower detection rates by using native apps for deployment and evasion. Security platforms are currently keeping an eye on the specific threat under the name LNK/Agent.ALN!tr.

Companies are told to be careful with shortcut files they don't trust and to give their employees strong anti-phishing training. IT teams must also keep an eye out for strange PowerShell or VBScript execution on their networks to find and stop similar hidden intrusions. A few other accounts are still inactive as backups in case the main repositories go down. The main account is where everything happens.