Hackers are abusing Home windows shortcut recordsdata and GitHub to run a stealthy, multi‑stage malware marketing campaign towards organizations in South Korea.
The operation chains LNK recordsdata, PowerShell, and GitHub APIs to ship surveillance instruments whereas mixing into regular enterprise site visitors.The marketing campaign begins with weaponized LNK recordsdata that comprise hidden scripts as an alternative of easy shortcuts.
These older samples uncovered wealthy metadata together with recurring file names, sizes, and “Hangul Doc” labels a sample typically linked with North Korea–aligned teams similar to Kimsuky, APT37, and Lazarus.
Over time, the operators upgraded their tooling by including easy decoding capabilities and exhausting‑encoding payloads immediately into the LNK arguments.
When victims open the lure, a respectable‑trying PDF aligned with Korean enterprise themes seems, whereas the PowerShell code executes silently within the background.
Earlier waves noticed since 2024 used primary string concatenation to obscure a GitHub C2 URL and an entry token based on FortiGuard Labs.
GitHub-Backed Malware
The decoded PowerShell script first checks whether or not it’s working in a lab by scanning for virtualization, debugging, and forensic instruments, together with VMware, VirtualBox, IDA, dnSpy, Wireshark, Fiddler, x64dbg, and Course of Hacker processes.
If any of those are discovered, the script exits instantly, blocking analysts from observing later levels. When no evaluation instruments are detected, the script reconstructs Base64‑encoded strings and writes a VBScript payload right into a randomly named folder below %Temp%.
To outlive reboots, the malware registers a hidden Scheduled Activity that runs the VBScript each half-hour utilizing wscript.exe, with an extended, doc‑like activity title designed to mix into respectable entries.
The most recent variants strip practically all figuring out metadata and maintain solely a decoder, p1, which takes a file path, size, and XOR key to unpack each a decoy PDF and the following‑stage PowerShell script.
This VBScript in flip re‑launches the PowerShell payload in a hidden window, guaranteeing ongoing execution with minimal person visibility.
The script additionally collects detailed host knowledge OS model, construct, final boot time, and course of record and logs it in recordsdata named
Researchers traced these uploads to a GitHub person “motoralis,” whose non-public repositories and contribution historical past line up with spikes in LNK‑based mostly phishing exercise noticed since 2025.
Extra usernames, together with God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip, seem to type a wider infrastructure mixture of dormant and newly created accounts.
Whereas some accounts keep quiet for months, others activate briefly to offer backup channels, making the C2 layer resilient towards takedowns.
As a result of all payloads and logs are saved in non-public GitHub repositories, defenders can not examine them immediately, but the site visitors nonetheless seems like regular encrypted GitHub exercise typically allowed in company networks.
This mirrors a broader development of menace actors hijacking trusted public platforms from developer companies to file‑sharing instruments to host malware and exfiltrate knowledge whereas evading URL and area‑based mostly blocking.
Last stage: steady GitHub management
Within the third stage, an easier PowerShell element focuses on maintaining a stay reference to the GitHub‑hosted C2.
It frequently pulls instructions or further modules from a uncooked GitHub file path below the motoralis repository, utilizing the Scheduled Activity created earlier as its heartbeat.
A devoted “maintain‑alive” script additionally gathers stay community configuration knowledge and pushes it again to GitHub with the PUT methodology, saving logs below paths formatted as
By chaining LNK shortcuts, native Home windows scripting (PowerShell and VBScript), Scheduled Duties, and GitHub APIs, the attackers keep away from conventional executable droppers and cut back their on‑disk footprint.
Safety groups are suggested to deal with surprising LNK and doc recordsdata with warning, tighten monitoring round PowerShell and wscript exercise, and baseline GitHub utilization to identify uncommon API calls or entry patterns.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
