A new campaign that is going after South Korea is using Windows shortcut files, or LNK files, to send targeted phishing emails through GitHub This article explores lnk pdf files. . At first, victims are shown fake PDF files that look like real files.

At the same time, a harmful script runs in the background without their knowledge. The way LNK files are named, like "Hangul Document," is similar to how North Korean state-sponsored groups like Kimsuky, APT37, and Lazarus work. The campaign has been given a high severity level because stolen data can lead to more attacks. This operation shows that it was planned carefully and with a lot of resources, not because it was a good opportunity.

No matter how they look, users and security teams should be careful with LNK and PDF files that they didn't ask for.

Keep an eye on environments for strange PowerShell or VBScript activity, and look into unexpected outbound connections to GitHub API endpoints right away. Check LinkedIn and X for more news. Set ZeroOwl as your favorite Google source for quick information.

For more information about Fortinet's ZeroOwl security solutions, click here. The threat actor carefully made lure documents that were specific to Korean business situations. The bigger goal seems to be gathering information and keeping an eye on things over time. The attacker secretly watches compromised systems for long periods of time by using scheduled tasks that run every 30 minutes and private GitHub repositories to store stolen logs and get new instructions.

Because all communication is done through encrypted HTTPS traffic sent to a trusted domain, it usually doesn't set off standard perimeter defenses or raise any flags.

The multi-stage infection process starts when a victim opens a normal PDF file. This file is actually an LNK shortcut that runs a PowerShell script without any sound. The VBS script gets information about the OS version, boot time, and running processes, uploads it to a GitHub repository that the attacker controls, gets system information, and sends updates through GitHub.

In the last step, malware uses a keep-alive script to keep an eye on network data in real time while it gets new instructions from GitHub.