Threat actors associated with the Democratic People's Republic of Korea (DPRK) used LNK shortcut files as a weapon to spread MoonPeak malware, a XenoRAT variant This article explores malware lnk. . The malicious file used phony trading guides to entice investors under the false pretense of "실ỹ Ò������� 앵심 đ법."

(Real Battle Trading Core Secret Book.pdf.lnk). This campaign draws attention to DPRK's continuous attempts to steal foreign currency while avoiding detection by using anti-analysis techniques and reliable websites like GitHub. Two actions are triggered when victims double-click the LNK. To divert users, an XOR-encoded PDF decoy first appears.

Second, a PowerShell script that has been obfuscated runs hidden (-WindowStyle Hidden). If more than 40 analysis tools and virtual environments are found, this script terminates the execution. Targets include VMware processes like vmtoolsd.exe, vboxservice.exe, and debuggers such as dnSpy.exe, IDA Pro, Wireshark, and ProcMon.

The script generates a random 8-character folder in temp directories if the environment passes checks. Two files with arbitrary names are dropped inside: a VBScript (Figure 2) and a PowerShell script (equivalent to Figure 1). Another script is retrieved by PowerShell from hxxp://mid[.]great-site[.

]net/realzan/viewpoi.txt, temporarily saved, run, and then deleted. Bypassing execution policies, this PowerShell is launched by the VBScript in a hidden manner. Selling CoinBoruhde Whistling NOprobnl{BD234234324-1243324ADVE}" is a scheduled task that uses wscript.exe to guarantee persistence. Additionally, the script beacons host information, OS version, and system details to hxxp://mid[.]great-site[.

]net/maith.php via POST. It adds "BEGIN" and a random 4-char string, then uses JS from hxxp://mid[.]great-site[. ]net/aes.js to AES-decrypt data, probably alerting attackers to infection.

MoonPeak Deployment and the Infection Chain The downloaded viewpoi.txt PowerShell retrieves octobor.docx from the now-takenown GitHub repository macsim-gun/ by accessing raw.githubusercontent.com.FinalDocu (as reported by IIJ). Author of the commit: sandamalmacsim@gmail[. ]com (account verified).

The file's first seven bytes are switched to a GZIP header (1F 8B 08 00 00 00 00) by the script, which then decompresses the file in memory to reveal Stella.exe. The Assembly of PowerShell.This.NET binary is directly executed by Load. MoonPeak Malware through LNK (source: IIJ) MoonPeak is Stella.exe, which has been obfuscated using ConfuserEx to prevent decompilers such as dnSpy. Code in .() is dynamically decrypted by anti-tampering.

IIJ extracted it and used de4dot-cex to deobfuscate it. Key configurations: C2 at 27.102.137[. ]88:443; Mutex "Dansweit_Hk65-PSAccerdle." Capabilities align with Trellix's 2025 report on DPRK espionage via GitHub C2, claims Internet Initiative Japan.

Actors are tracked by Cisco Talos as UAT-5394.

GitHub is used for payloads in the ongoing LOTS (Living Off Trusted Sites) strategy. DPRK targets people all over the world in addition to governments. Protect yourself by keeping an eye on LNK/PowerShell, blocking IOCs, and looking for ConfuserEx artifacts.

Files for IoCs (SHA256): SHA256 1553bfac012b20a39822c5f2ef3a7bd97f52bb94ae631ac1178003b7d42e7b7f.pdf.lnk aaac6eadac6c325bfc69b561d75f7cfd979ac289de1cc4430c5cc9a9a655b279 octobor.docx IP addresses and domains: hxxps://raw[.]githubusercontent[. ]com/macsim-gun/FinalDocu/main/octobor.docx 27.102.137 mid.great-site[.]net[. ]88:443