Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean hackers are using LNK files, hidden PowerShell scripts, and legitimate GitHub repositories to evade detection and steal sensitive system data from Windows users.
A group of North Korean hackers has been caught using a clever trick to peek into the computers of various businesses across South Korea. While these attacks can be traced back to 2024, researchers at Fortinet’s FortiGuard Labs have found that the hackers recently updated their methods to be far more secretive, and the key targets are Microsoft Windows users, putting corporate environments at risk.
The North Korean Connection
Researchers noted that the fingerprints left behind in this campaign point toward North Korean state-sponsored groups like Kimsuky, APT37, or Lazarus. One of the biggest giveaways is the use of the label Hangul Document, a naming pattern famously used by these groups to target Korean users.
These attackers are masters of social engineering. Instead of using one story, they employ multiple phishing themes, ranging from fake purchase orders to technical papers, to bait different employees. By switching up these lures, they can target a much broader audience with a higher success rate.
Further investigation revealed they now avoid obvious malware, choosing instead to exploit native Windows tools like PowerShell, VBScript, and WScript. By using these built-in features to stay hidden, they can target a broad audience with a very low detection rate.
The Trap
The attack doesn’t start with a complex virus, but with a simple shortcut file known as an LNK file. To the average worker, these look like harmless office documents, but the moment a user double-clicks, a decoy PDF pops up to keep them occupied while a silent script dismantles the computer’s privacy in the background.
This script, as per researchers, runs a health check for security tools like Wireshark, Fiddler, x64dbg, and Procmon, even searching for virtual environments like vmtoolsd. If it finds any of these, it shuts down instantly to avoid being studied. However, if the coast is clear, it uses a trick called an XOR key to scramble its code and hide from basic antivirus software.
Hiding in the Cloud
The most effective part of the operation is how the hackers communicate. Instead of relying on their own servers, they use GitHub to move data. Fortinet researchers identified accounts such as motoralis, Pigresy80, and brandonleeodd93-blip, where stolen information is stored in private repositories. Because GitHub is widely trusted, this traffic often passes through corporate security systems without being flagged.
To maintain access, they set up a Scheduled Task disguised as a technical paper for the Creata Chain Task, which wakes the malware every 30 minutes. Researchers warned in the blog post that “this combination of legitimate tools and trusted web services creates a highly effective infection chain.”
While earlier versions spread the XenoRAT malware, the current version focuses on deep surveillance. It steals OS versions, build numbers, and active process lists, sending a keep-alive log back to the hackers. Since these attacks exploit Windows’ own built-in tools, staying safe requires being cautious against any unexpected files.
Expert Insights
Several industry experts shared their thoughts on the campaign with Hackread.com. Jason Soroko, Senior Fellow at Sectigo, noted that modern cyber espionage has “shifted toward a highly evasive strategy known as living off the land.” He explained that “by relying on native utilities like PowerShell and scheduled tasks instead of dropping recognizable custom malware, these attackers turn a network’s own administrative functions against the organization.”
Furthermore, Mr. Jamie Boote, Senior Manager at Black Duck, highlighted how “this attack demonstrates how malicious actors can turn legitimate infrastructure into a novel attack surface.” He pointed out that “the fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors.”
