{"id":182679,"date":"2026-04-06T12:19:30","date_gmt":"2026-04-06T12:19:30","guid":{"rendered":"https:\/\/gbhackers.com\/?p=182679"},"modified":"2026-04-06T12:19:35","modified_gmt":"2026-04-06T12:19:35","slug":"github-backed-malware","status":"publish","type":"post","link":"https:\/\/gbhackers.com\/github-backed-malware\/","title":{"rendered":"GitHub-Backed Malware Spread via LNK Files in South Korea"},"content":{"rendered":"\n<p>Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.<\/p>\n\n\n\n<p>The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts. <\/p>\n\n\n\n<p>These older samples exposed rich metadata including recurring file names, sizes, and \u201cHangul Document\u201d labels a pattern often linked with North Korea\u2013aligned groups such as Kimsuky, APT37, and Lazarus.<\/p>\n\n\n\n<p>Over time, the operators upgraded their tooling by adding simple decoding functions and hard\u2011encoding <a href=\"https:\/\/gbhackers.com\/sidewinder-hackers\/\" type=\"post\" id=\"162384\" target=\"_blank\" rel=\"noreferrer noopener\">payloads directly into the LNK arguments<\/a>. <\/p>\n\n\n\n<p>When victims open the lure, a legitimate\u2011looking PDF aligned with Korean business themes appears, while the PowerShell code executes silently in the background.<\/p>\n\n\n\n<p>Earlier waves <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/dprk-related-campaigns-with-lnk-and-github-c2\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">observed since 2024 used basic string concatenation<\/a> to obscure a GitHub C2 URL and an access token according to FortiGuard Labs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-github-backed-malware\"><strong>GitHub-Backed Malware<\/strong><\/h2>\n\n\n\n<p>The decoded PowerShell script first checks whether it is running in a lab by scanning for virtualization, debugging, and forensic tools, including VMware, VirtualBox, IDA, dnSpy, Wireshark, Fiddler, x64dbg, and Process Hacker processes. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.fortinet.com\/blog\/threat-research\/dprk-related-campaigns-with-lnk-and-github-c2\/_jcr_content\/root\/responsivegrid\/table_content\/par\/image_copy_170990561_1539556313.img.png\/1775080804873\/fig2.png\" alt=\"LNK file with PowerShell script (Source : FortiGuard Labs).\"\/><figcaption class=\"wp-element-caption\">\u00a0LNK file with PowerShell script (Source : FortiGuard Labs).<\/figcaption><\/figure>\n<\/div>\n\n\n<p>If any of these are found, the script exits immediately, blocking analysts from observing later stages. When no analysis tools are detected, the script reconstructs Base64\u2011encoded strings and writes a VBScript payload into a randomly named folder under %Temp%.<\/p>\n\n\n\n<p>To survive reboots, the malware registers a hidden <a href=\"https:\/\/gbhackers.com\/microsoft-replacing-vbscript\/\" type=\"post\" id=\"90660\" target=\"_blank\" rel=\"noreferrer noopener\">Scheduled Task that runs the VBScript <\/a>every 30 minutes using wscript.exe, with a long, document\u2011like task name designed to blend into legitimate entries. <\/p>\n\n\n\n<p>The newest variants strip nearly all identifying metadata and keep only a decoder, p1, which takes a file path, length, and XOR key to unpack both a decoy PDF and the next\u2011stage PowerShell script. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.fortinet.com\/blog\/threat-research\/dprk-related-campaigns-with-lnk-and-github-c2\/_jcr_content\/root\/responsivegrid\/table_content\/par\/image_copy_170990561_978012583.img.png\/1775080973114\/fig4.png\" alt=\"LNK file with encoded data (Source : FortiGuard Labs).\"\/><figcaption class=\"wp-element-caption\">\u00a0LNK file with encoded data (Source : FortiGuard Labs).<\/figcaption><\/figure>\n<\/div>\n\n\n<p>This VBScript in turn re\u2011launches the PowerShell payload in a hidden window, ensuring ongoing execution with minimal user visibility. <\/p>\n\n\n\n<p>The script also collects detailed host data OS version, build, last boot time, and process list and logs it in files named &lt;timestamp>-&lt;IP>-BEGIN.log before uploading them to a GitHub repository via the <a href=\"https:\/\/gbhackers.com\/google-api-keys-leak-sensitive-data\/\" type=\"post\" id=\"179158\" target=\"_blank\" rel=\"noreferrer noopener\">API using a hardcoded access token<\/a>.<\/p>\n\n\n\n<p>Researchers traced these uploads to a GitHub user \u201cmotoralis,\u201d whose private repositories and contribution history line up with spikes in LNK\u2011based phishing activity observed since 2025. <\/p>\n\n\n\n<p>Additional usernames, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip, appear to form a wider infrastructure mix of dormant and newly created accounts. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.fortinet.com\/blog\/threat-research\/dprk-related-campaigns-with-lnk-and-github-c2\/_jcr_content\/root\/responsivegrid\/table_content\/par\/image_1297986176_cop.img.png\/1775082022578\/fig9.png\" alt=\"Attacker's GitHub  (Source : FortiGuard Labs).\"\/><figcaption class=\"wp-element-caption\">Attacker&#8217;s GitHub  (Source : FortiGuard Labs).<\/figcaption><\/figure>\n<\/div>\n\n\n<p>While some accounts stay quiet for months, others activate briefly to provide backup channels, making the C2 layer resilient against takedowns.<\/p>\n\n\n\n<p>Because all payloads and logs are<a href=\"https:\/\/gbhackers.com\/repojacking-github\/\" type=\"post\" id=\"67516\" target=\"_blank\" rel=\"noreferrer noopener\"> stored in private GitHub repositories<\/a>, defenders cannot inspect them directly, yet the traffic still looks like normal encrypted GitHub activity often allowed in corporate networks. <\/p>\n\n\n\n<p>This mirrors a broader trend of threat actors hijacking trusted public platforms from developer services to file\u2011sharing tools to host malware and exfiltrate data while evading URL and domain\u2011based blocking.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-final-stage-continuous-github-control\"><strong>Final stage: continuous GitHub control<\/strong><\/h2>\n\n\n\n<p>In the third stage, a simpler PowerShell component focuses on keeping a live connection with the GitHub\u2011hosted C2. <\/p>\n\n\n\n<p>It regularly pulls commands or additional modules from a raw GitHub file path under the motoralis repository, using the <a href=\"https:\/\/gbhackers.com\/tornet-backdoor-exploits-windows-scheduled-tasks\/\" type=\"post\" id=\"119425\" target=\"_blank\" rel=\"noreferrer noopener\">Scheduled Task created earlier<\/a> as its heartbeat. <\/p>\n\n\n\n<p>A dedicated \u201ckeep\u2011alive\u201d script also gathers live network configuration data and pushes it back to GitHub with the PUT method, saving logs under paths formatted as &lt;Date>_&lt;Time>-&lt;IP>-Real.log.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.fortinet.com\/blog\/threat-research\/dprk-related-campaigns-with-lnk-and-github-c2\/_jcr_content\/root\/responsivegrid\/table_content\/par\/image_1297986176_cop_1603139719.img.png\/1775082153422\/fig12.png\" alt=\"Attack chain (Source : FortiGuard Labs). \"\/><figcaption class=\"wp-element-caption\">Attack chain (Source : FortiGuard Labs). <\/figcaption><\/figure>\n<\/div>\n\n\n<p>By chaining LNK shortcuts, native Windows scripting (PowerShell and VBScript), Scheduled Tasks, and GitHub APIs, the attackers avoid traditional executable droppers and reduce their on\u2011disk footprint. <\/p>\n\n\n\n<p>Security teams are advised to treat unexpected LNK and document files with caution, tighten monitoring around PowerShell and wscript activity, and baseline GitHub usage to spot unusual API calls or access patterns.<\/p>\n\n\n\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&amp;gl=IN&amp;ceid=IN%3Aen\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cyber-threat-intel\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and\u00a0<a href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get Instant Updates and Set GBH as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=https:\/\/gbhackers.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea. The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts. These older [&hellip;]<\/p>\n","protected":false},"author":52,"featured_media":182687,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3710,1931,5575,13],"tags":[1621,1939,44],"class_list":{"0":"post-182679","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security","8":"category-cyber-security-news","9":"category-github","10":"category-malware","11":"tag-cyber-security","12":"tag-cyber-security-news","13":"tag-malware"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.6 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>GitHub-Backed Malware Spread via LNK Files in South Korea<\/title>\n<meta name=\"description\" content=\"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/gbhackers.com\/github-backed-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GitHub-Backed Malware Spread via LNK Files in South Korea\" \/>\n<meta property=\"og:description\" content=\"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/gbhackers.com\/github-backed-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"GBHackers Security | #1 Globally Trusted Cyber Security News Platform\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-06T12:19:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-06T12:19:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Mayura Kathir\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mayura Kathir\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"NewsArticle\",\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/\"},\"author\":{\"name\":\"Mayura Kathir\",\"@id\":\"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428\"},\"headline\":\"GitHub-Backed Malware Spread via LNK Files in South Korea\",\"datePublished\":\"2026-04-06T12:19:30+00:00\",\"dateModified\":\"2026-04-06T12:19:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/\"},\"wordCount\":695,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp\",\"keywords\":[\"cyber security\",\"Cyber Security News\",\"Malware\"],\"articleSection\":[\"cyber security\",\"Cyber Security News\",\"GitHub\",\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/gbhackers.com\/github-backed-malware\/#respond\"]}],\"copyrightYear\":\"2026\",\"copyrightHolder\":{\"@id\":\"https:\/\/gbhackers.com\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/\",\"url\":\"https:\/\/gbhackers.com\/github-backed-malware\/\",\"name\":\"GitHub-Backed Malware Spread via LNK Files in South Korea\",\"isPartOf\":{\"@id\":\"https:\/\/gbhackers.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp\",\"datePublished\":\"2026-04-06T12:19:30+00:00\",\"dateModified\":\"2026-04-06T12:19:35+00:00\",\"author\":{\"@id\":\"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428\"},\"description\":\"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.\",\"breadcrumb\":{\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/gbhackers.com\/github-backed-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage\",\"url\":\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp\",\"contentUrl\":\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp\",\"width\":1600,\"height\":900,\"caption\":\"GitHub-Backed Malware Spread via LNK Files in South Korea\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/gbhackers.com\/github-backed-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/gbhackers.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GitHub-Backed Malware Spread via LNK Files in South Korea\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/gbhackers.com\/#website\",\"url\":\"https:\/\/gbhackers.com\/\",\"name\":\"GBHackers Security | #1 Globally Trusted Cyber Security News Platform\",\"description\":\"GBhackers Offering Exclusive Cyber Security News Coverage, New Research papers &amp; Technology Updates.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/gbhackers.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428\",\"name\":\"Mayura Kathir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/gbhackers.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=96&d=mm&r=g\",\"caption\":\"Mayura Kathir\"},\"description\":\"Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.\",\"sameAs\":[\"https:\/\/gbhackers.com\/\"],\"url\":\"https:\/\/gbhackers.com\/author\/mayura\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"GitHub-Backed Malware Spread via LNK Files in South Korea","description":"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/gbhackers.com\/github-backed-malware\/","og_locale":"en_US","og_type":"article","og_title":"GitHub-Backed Malware Spread via LNK Files in South Korea","og_description":"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.","og_url":"https:\/\/gbhackers.com\/github-backed-malware\/","og_site_name":"GBHackers Security | #1 Globally Trusted Cyber Security News Platform","article_published_time":"2026-04-06T12:19:30+00:00","article_modified_time":"2026-04-06T12:19:35+00:00","og_image":[{"width":1600,"height":900,"url":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","type":"image\/webp"}],"author":"Mayura Kathir","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mayura Kathir","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/gbhackers.com\/github-backed-malware\/#article","isPartOf":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/"},"author":{"name":"Mayura Kathir","@id":"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428"},"headline":"GitHub-Backed Malware Spread via LNK Files in South Korea","datePublished":"2026-04-06T12:19:30+00:00","dateModified":"2026-04-06T12:19:35+00:00","mainEntityOfPage":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/"},"wordCount":695,"commentCount":0,"image":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","keywords":["cyber security","Cyber Security News","Malware"],"articleSection":["cyber security","Cyber Security News","GitHub","Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/gbhackers.com\/github-backed-malware\/#respond"]}],"copyrightYear":"2026","copyrightHolder":{"@id":"https:\/\/gbhackers.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/gbhackers.com\/github-backed-malware\/","url":"https:\/\/gbhackers.com\/github-backed-malware\/","name":"GitHub-Backed Malware Spread via LNK Files in South Korea","isPartOf":{"@id":"https:\/\/gbhackers.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage"},"image":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","datePublished":"2026-04-06T12:19:30+00:00","dateModified":"2026-04-06T12:19:35+00:00","author":{"@id":"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428"},"description":"Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi\u2011stage malware campaign against organizations in South Korea.","breadcrumb":{"@id":"https:\/\/gbhackers.com\/github-backed-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/gbhackers.com\/github-backed-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/gbhackers.com\/github-backed-malware\/#primaryimage","url":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","contentUrl":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","width":1600,"height":900,"caption":"GitHub-Backed Malware Spread via LNK Files in South Korea"},{"@type":"BreadcrumbList","@id":"https:\/\/gbhackers.com\/github-backed-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/gbhackers.com\/"},{"@type":"ListItem","position":2,"name":"GitHub-Backed Malware Spread via LNK Files in South Korea"}]},{"@type":"WebSite","@id":"https:\/\/gbhackers.com\/#website","url":"https:\/\/gbhackers.com\/","name":"GBHackers Security | #1 Globally Trusted Cyber Security News Platform","description":"GBhackers Offering Exclusive Cyber Security News Coverage, New Research papers &amp; Technology Updates.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/gbhackers.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/gbhackers.com\/#\/schema\/person\/a4af1382fc74bb74e535a4cee4f1b428","name":"Mayura Kathir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/gbhackers.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=96&d=mm&r=g","caption":"Mayura Kathir"},"description":"Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.","sameAs":["https:\/\/gbhackers.com\/"],"url":"https:\/\/gbhackers.com\/author\/mayura\/"}]}},"jetpack_featured_media_url":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/04\/Untitled-design-2026-04-06T174715.788.webp","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/posts\/182679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/comments?post=182679"}],"version-history":[{"count":8,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/posts\/182679\/revisions"}],"predecessor-version":[{"id":182688,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/posts\/182679\/revisions\/182688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/media\/182687"}],"wp:attachment":[{"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/media?parent=182679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/categories?post=182679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gbhackers.com\/wp-json\/wp\/v2\/tags?post=182679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}