A newly identified campaign linked to North Korean state-sponsored threat actors is using Windows shortcut files, known as LNK files, to launch targeted phishing attacks against organizations in South Korea.
What makes this campaign alarming is how attackers conceal their operations inside GitHub, one of the most trusted platforms on the internet, converting it into a covert Command and Control (C2) channel.
Since GitHub is widely trusted and often whitelisted in corporate environments, malicious traffic sent through it blends seamlessly with normal web activity.
The campaign traces back to at least 2024, but has grown more sophisticated over time. Early versions of the LNK files contained less obfuscation and retained metadata that allowed security researchers to track and connect the attacks.
Those earlier variants were also linked to the distribution of XenoRAT malware. In recent months, the threat actor evolved their approach, embedding decoding functions directly within LNK file arguments and hiding encoded payloads inside the files themselves.
Decoy PDF documents are displayed to victims at infection, giving the impression that a legitimate file opened normally while a malicious script quietly executes in the background.
FortiGuard Labs researchers, led by analyst Cara Lin, identified this campaign, noting that decoy PDF titles gathered from attack samples suggest the threat actor is deliberately targeting specific companies in South Korea as part of a broader surveillance effort.
Metadata patterns found in the LNK files, particularly the naming convention “Hangul Document,” align with tactics used by North Korean state-sponsored groups, including Kimsuky, APT37, and Lazarus.
The campaign has been rated High severity, since stolen data can fuel follow-on attacks, with Microsoft Windows as the affected platform.
The geographic focus and technical precision point to a calculated, resource-backed operation rather than opportunistic crime.
The threat actor carefully built lure documents around topics relevant to Korean business settings, such as financial proposals and strategic partnership agreements.
File names like “TRAMS WINBOT AI Strategic Proposal.pdf.lnk” and “(CONFIDENTIAL) AIN x Mine Korea 2026.pdf.lnk” show how deliberately each decoy was crafted to appear authentic and trustworthy to the recipient.
The broader purpose appears to be long-term surveillance and intelligence collection. By maintaining access through scheduled tasks that trigger every 30 minutes and using private GitHub repositories to store stolen logs and receive new instructions, the attacker monitors compromised systems quietly over time.
Since all communication runs over encrypted HTTPS traffic to a trusted domain, it routinely slips past standard perimeter defenses without raising flags.
Multi-Stage Infection Mechanism
The attack starts when a victim opens what looks like a regular PDF document. The file is actually an LNK shortcut that silently triggers a PowerShell script.
.webp)
An XOR-based decoding function inside the LNK file extracts both the decoy PDF and the malicious script, while the decoy document distracts the victim.
.webp)
Once active, the PowerShell script checks the environment for virtual machines, debuggers, and forensic tools.
.webp)
If none are detected, it drops a VBScript file and sets up a scheduled task running the payload every 30 minutes to sustain persistence.
.webp)
The script then collects OS version, boot time, and running process data, uploading it to an attacker-controlled GitHub repository.
.webp)
In the final stage, the malware pulls new instructions from GitHub, while a keep-alive script sends live network data to the attacker for real-time monitoring.
.webp)
Users and security teams should treat unsolicited LNK and PDF files with caution, regardless of appearance.
Environments should be monitored for unusual PowerShell or VBScript activity, and any unexpected outbound connections to GitHub API endpoints should be investigated immediately.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
