## DPRK Actors Abuse GitHub for C2 Researchers have observed threat actors, likely associated with the Democratic People's Republic of Korea (DPRK), exploiting **GitHub** as command-and-control (C2) infrastructure. This tactic is used in multi-stage attacks aimed at organizations in South Korea.  According to a report by **Fortinet FortiGuard Labs**, the attack sequence begins with obfuscated Windows shortcut (LNK) files. These files drop a decoy PDF document and a **PowerShell** script that sets the stage for subsequent attack phases. The LNK files are believed to be distributed through phishing emails. Once the payloads are downloaded, the victim sees the PDF document, while the malicious **PowerShell** script runs silently in the background. The script includes checks to evade analysis by detecting running processes related to virtual machines, debuggers, and forensic tools. If any such processes are found, the script terminates immediately. ## Persistence and Exfiltration If the initial checks pass, the script extracts a Visual Basic Script (VBScript) and establishes persistence using a scheduled task. This task launches the **PowerShell** payload every 30 minutes in a hidden window, ensuring execution after each system reboot. Next, the **PowerShell** script profiles the compromised host, saves the results to a log file, and exfiltrates the data to a **GitHub** repository under the account "motoralis" using a hard-coded access token. Other **GitHub** accounts used in this campaign include "God0808RAMA," "Pigresy80," "entire73," "pandora0009," and "brandonleeodd93-blip." The script then parses a specific file in the same **GitHub** repository to retrieve additional modules or instructions. This allows the attacker to leverage the trust associated with **GitHub** to blend in and maintain persistent control over the infected host.  ## Kimsuky's Modus Operandi **Fortinet** notes that earlier versions of this campaign used LNK files to spread malware families like Xeno RAT. The use of **GitHub** C2 to distribute Xeno RAT and its variant MoonPeak has been previously documented by **ENKI** and **Trellix**, attributing these attacks to the North Korean state-sponsored group, **Kimsuky**. Security researcher Cara Lin highlights the attacker's strategy: "Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate." ## Similar LNK-Based Attacks The disclosure coincides with **AhnLab** detailing a similar LNK-based infection chain from **Kimsuky**, which leads to the deployment of a **Python**-based backdoor. This attack also involves LNK files executing a **PowerShell** script and creating a hidden folder in the "C:\windirr" path to stage payloads, including a decoy PDF and another LNK file mimicking a Hangul Word Processor (HWP) document. Intermediate payloads are deployed to set up persistence and launch a **PowerShell** script, which uses **Dropbox** as a C2 channel to fetch a batch script. This batch file downloads ZIP file fragments from a remote server, combines them, extracts an XML task scheduler and a **Python** backdoor, and uses the task scheduler to launch the implant. The **Python**-based malware can download additional payloads and execute commands from the C2 server, including running shell scripts, listing directories, uploading/downloading/deleting files, and running BAT, VBScript, and EXE files. ## ScarCruft's Evolving Tactics These findings also align with **ScarCruft**'s shift from traditional LNK-based attack chains to an HWP OLE-based dropper to deliver **RokRAT**, a remote access trojan exclusively used by the North Korean hacking group. According to **S2W**, the malware is embedded as an OLE object within an HWP document and executed via DLL side-loading. "Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the **RokRAT** payload," **S2W** stated.