Threat actors likely linked to the DPRK used obfuscated Windows LNK files delivered via phishing to drop decoy PDFs and PowerShell scripts, initiating multi-stage attacks against South Korean organizations. The PowerShell payload performs anti-analysis checks, establishes persistence via scheduled tasks, exfiltrates host profiles to a GitHub repository (motoralis) using a hard-coded token, and fetches additional modules from the same repo to maintain C2. #Kimsuky #GitHub
Keypoints
- Kimsuky-linked actors use phishing-distributed LNK files to start the infection chain.
- LNK files drop a decoy PDF while a hidden PowerShell script runs anti-analysis checks and extracts a VBScript.
- The attacker achieves persistence with a scheduled task that runs the PowerShell payload every 30 minutes in a hidden window.
- Compromised host profiles are exfiltrated to a GitHub repo using a hard-coded token, and additional modules/instructions are pulled from the same repository.
- Related campaigns have deployed Xeno RAT, MoonPeak, and RokRAT via alternate droppers and C2 channels (Dropbox, remote servers), favoring native Windows tools to evade detection.
Read More: https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html