North Korean Actors Exploit GitHub in Multi-Stage Malware Campaign Against South Korea

North Korean Actors Exploit GitHub in Multi-Stage Malware Campaign Against South Korea

First seen 3 Apr 2026, 06:16 UTC Infosecurity-MagazineGbhackersCybersecuritynewsScworldCsoonline+2 83% similarity 75.5

Article Content

Browse articles
ThreatCluster

A sophisticated malware campaign targeting users in South Korea has been identified, utilizing malicious LNK files that leverage GitHub as a command and control (C2) infrastructure. The campaign, attributed to North Korean state actors, employs a multi-stage attack chain that includes hidden PowerShell scripts and decoy PDF documents to evade detection. Initial versions of the malware date back to 2024, but recent iterations have removed identifying metadata and introduced advanced obfuscation techniques. The attack begins with LNK files that execute scripts to retrieve commands from GitHub, allowing attackers to maintain persistence and exfiltrate sensitive data. The malware continuously connects to GitHub to download additional payloads and instructions, raising alarms about the use of legitimate platforms for malicious activities. Security experts emphasize the need for heightened vigilance as this method blurs the lines between normal and malicious traffic.

Key Points: • North Korean state actors are behind a targeted malware campaign using LNK files. • The malware employs GitHub as a covert command and control infrastructure. • Recent versions of the malware have enhanced obfuscation and removed metadata for stealth.

ThreatCluster AI

Timeline

2024-01-01
Initial versions of the malware discovered.
2026-04-02
Fortinet advisory published detailing the attack.
2026-04-03
Multiple cybersecurity articles report on the campaign.

Community

Browse all →