North Korean state-sponsored threat actors have been observed targeting South Korean organizations with a sophisticated multi-stage attack chain that abuses GitHub as command and control (C2) infrastructure. Fortinet FortiGuard Labs published research on April 2, 2026 detailing the campaign, which leverages malicious LNK (shortcut) files, encoded payloads, and living-off-the-land (LOTL) techniques to maintain persistence while evading detection.
Attack Overview
The campaign relies on malicious LNK files delivered via phishing, disguised with decoy PDF documents to deceive victims. When opened, the files appear legitimate while PowerShell scripts execute silently in the background. The threat actors have evolved their tactics over time—earlier versions contained identifying metadata linking them to known North Korean APT groups including Kimsuky, APT37, and Lazarus. Recent variants have stripped this metadata and introduced more sophisticated obfuscation.
Multi-Stage Infection Chain
The attack proceeds through three distinct stages:
Stage 1 – LNK Execution: Malicious LNK files contain hidden scripts with embedded decoding functions. The files drop a decoy PDF while executing PowerShell commands retrieved from GitHub repositories.
Stage 2 – Persistence & Reconnaissance: The PowerShell payload performs extensive anti-analysis checks, scanning for over 40 security analysis tools and virtual machine indicators including vmtoolsd, WireShark, x64dbg, ProcessHacker, and IDA. If detected, the malware terminates immediately. Otherwise, it establishes persistence via scheduled tasks that execute every 30 minutes using VBScript, collects detailed system information (OS version, boot time, running processes), and exfiltrates data to GitHub using hardcoded access tokens.
Stage 3 – C2 Communication: The malware maintains persistent connections to GitHub repositories to download additional modules and instructions, enabling ongoing monitoring and further exploitation of compromised systems.
GitHub Infrastructure Abuse
The attackers leverage multiple GitHub accounts for their operations, including:
- motoralis (primary operational hub)
- God0808RAMA
- Pigresy80
- entire73
- pandora0009
- brandonleeodd93-blip
By conducting all activity within private repositories, the threat actors conceal malicious payloads and exfiltrated logs from public view while exploiting GitHub’s trusted reputation to bypass corporate security filters. A “keep-alive” script uploads network configuration details, allowing real-time monitoring of infected machines.
Why This Matters
This campaign demonstrates how nation-state actors are increasingly turning legitimate infrastructure into covert attack surfaces. By abusing trusted platforms like GitHub and leveraging built-in Windows tools (PowerShell, VBScript, scheduled tasks), attackers can blend malicious traffic with normal activity, making detection significantly more challenging for enterprise security teams. Organizations should monitor for unusual PowerShell or VBScript activity and implement controls around untrusted documents.
Indicators of Compromise
Key IOCs include the GitHub repositories used for C2:
- hxxps://api[.]github[.]com/repos/motoralis/singled/contents/kcca/technik
- hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim
Fortinet customers are protected via detection signature: LNK/Agent.ALN!tr
