惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

Fortinet All Blogs

Helping Law Enforcement Keep Pace with the Future of Cybercrime | Fortinet Blog FortiEndpoint Expands Security for the AI Era | Fortinet Blog Cyber Attacks Leveraging AI Require Behavior-First Security Training, Not Simply Better Awareness | Fortinet Blog The AI Era Needs a New SASE. Here’s What That Actually Looks Like. | Fortinet Blog Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula | FortiGuard Labs Update on Fortinet Use of Frontier AI | CISO Collective Fortinet Supports INTERPOL Operation CyberProtect III Targeting Online Exploitation From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach | FortiGuard Labs Fortinet Launches Its Product Carbon Footprint Calculator FortiSASE Training Builds Skills for Secure Access Success | Fortinet Blog Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog Teaching Cybersecurity the Way It’s Actually Used | Fortinet Blog Introducing FortiSOC: One Platform, Total Control | Fortinet Blog Public-Private Cooperation Is Critical to AI-Driven Cyber Defense | Fortinet Advancing Threat-Informed Defense through Fortinet’s Collaboration with MITRE CTID | Fortinet Threat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs Fortinet Achieves 1 Million People Trained in Cybersecurity Goal Ahead of Schedule | Fortinet Blog While OT Security Is Maturing, Risk Is Not Slowing Down | Fortinet Blog AI Policy Meets Operational Reality: White House AI Cybersecurity Order Calls for Public-Private Coordination | Fortinet Blog Executive Q&A: Strong Q1 Momentum Driven by Differentiated Innovation and Customer Demand | Fortinet Fortinet Earns AV-Comparatives Certification for EDR Detection Visibility | Fortinet Blog Cybercriminals Are Targeting the FIFA World Cup 2026 | FortiGuard Labs Fortinet Achieves AV-Comparatives Certification for Process Injection Protection | Fortinet Blog Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs Battling AI-Based Threats with FortiNDR | Fortinet Blog Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data Defending Critical Infrastructure: Why OT Security Demands a Threat-Informed Approach | CISO Collective Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise | FortiGuard Labs Fortinet Expands Cybersecurity Investment in the United Arab Emirates | Fortinet Blog PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs The Future of Connectivity | Fortinet Blog Fortinet at the World Economic Forum: Frontier AI models, AI-Driven Threats, Deepfakes, and the Future of Cyber Defense | Fortinet Blog The Fortinet 2025 Sustainability Report | Fortinet Blog Supercharged Security: Security in the Time of Mythos | CISO Collective Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs AI Security Is an Architectural Decision | Fortinet Blog Fortinet Training Institute Wins Industry Accolades | Fortinet Blog Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog Leading by Example in Sustainability: Fortinet Expands Global EPD Certification | Fortinet Blog When Cybercrime Becomes an Industry | Fortinet Blog FortiOS 8.0: Redefining Secure Networking in the AI and Quantum Era | Fortinet Blog Securing the Physical World as It Comes Online | Fortinet Blog Why the 2026 AI Cybersecurity Summit Matters | Fortinet Blog AI Is Changing Application Threats Faster Than Teams Can Adapt | Fortinet Blog Announcing the Fortinet Training Institute’s 2026 ATC Award Winners | Fortinet Blog Disrupting Cybercrime Networks at Scale Requires Sustained Global Collaboration | Fortinet Blog
DPRK-Related Campaigns with LNK and GitHub C2 | FortiGuard Labs
2026-04-02 · via Fortinet All Blogs

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Stolen data may be leveraged for follow-on attacks
Severity Level: High

FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.

In recent months, the threat actor has altered their tactics. They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files. Based on the decoy PDF titles we collected, the attacker seems to be targeting various companies in Korea to expand their surveillance operations. Below are the decoy PDF files identified in these campaigns. In this article, we will detail each stage.

Figure 1: Decoy PDF

1st Stage – LNK files

The LNK files used in these campaigns contain various scripts. In earlier versions, the threat actor used simple character concatenation to hide the GitHub C2 address and the access token. Despite this obfuscation, it was easy to see that the script was designed to run a PowerShell command fetched from GitHub.

Figure 2: LNK file with PowerShell script

Later versions of these LNK files evolved to include basic character decoding functions. Despite these updates, we observed metadata linking these activities, such as same file names, sizes, and modification dates. Notably, the “Name” column often shows “Hangul Document,” a naming pattern commonly used by North Korean state-sponsored groups like Kimsuky, APT37, and Lazarus.

Figure 3: LNK files with fixed metadata

In the latest attacks, the threat actor has removed this identifying metadata, leaving only a decoding function within the arguments. This function p1 takes three parameters: location, length, and an XOR key. It first defines a path to drop the decoy PDF, then decodes both the PDF and a PowerShell script for the next stage of the attack.

Figure 4: LNK file with encoded data

The decoy PDF aligns with the theme of the LNK file, fooling victims into thinking the file opened normally while the malicious PowerShell script executes silently in the background.

Figure 5: Decoy PDF

2nd Stage – PowerShell Script

The PowerShell script decoded from the LNK file performs several essential tasks to keep the attack hidden while maintaining access to the victim's system.

First, the script performs an environment check by scanning active processes related to virtual machines, debuggers, or forensic tools. It searches for a broad range of analysis software, including “vmxnet,” “vmusrvc,” “vmsrvc,” “vmtoolsd,” “vmwaretray,” “vboxservice,” “vboxtray,” “idaq,” “idaq64,” “autoruns,” “dumpcap,” “de4dot,” “hookexplorer,” “ilspy,” “lordpe,” “dnspy,” “petools,” “autorunsc,” “resourcehacker,” “filemon,” “regmon,” “procexp,” “procexp64,” “tcpview,” “tcpview64,” “Procmon,” “Procmon64,” “vmmap,” “vmmap64,” “portmon,” “processlasso,” “Wireshark,” “Fiddler Everywhere,” “Fiddler,” “ida,” “ida64,” “ImmunityDebugger,” “WinDump,” “x64dbg,” “x32dbg,” “OllyDbg,” and “ProcessHacker.” If any of these processes are detected, the script immediately terminates to prevent analysis by security researchers.

Figure 6: Checks running process

Once it confirms that the environment is not under analysis, the script proceeds to the next stage. It reconstructs and Base64-decodes a series of encoded strings, saving the resulting plaintext payload into a randomly named folder within the %Temp% directory.

Figure 7: Dropped VBS script

To ensure the malware persists after a system reboot, the script establishes persistence using a Scheduled Task. It creates a VBScript file that executes the PowerShell payload in a hidden window to minimize visibility. This task, disguised with a name like "Technical Paper for Creata Chain Task...", is set to run the VBScript every 30 minutes.

$action = New-ScheduledTaskAction -Execute 'wscript.exe' -Argument ('"' + $vbsFilePath + '"'); $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName "Technical Paper for Creata Chain Task S-1-12-12-3-1231241245BVSKLERh-SD234GHSI56" -Action $action -Trigger $trigger -Settings $settings

In the final step of this stage, the script collects detailed system information, including OS version and build number, last boot time, and a list of currently running processes. This data is then stored in a log file named with the format: <timestamp>-<IP_address>-BEGIN.log. The script proceeds to exfiltrate this log to a specific GitHub URL: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/kcca/technik, using a hardcoded GitHub access token: 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.

Figure 8: Extracts system information and uploads to Github

Our investigation into this GitHub account, motoralis, reveals consistent activity dating back to 2025, which matches our threat-hunting results on earlier LNK file variants. Other activities involve multiple GitHub accounts in similar attacks, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip.

A broader analysis of the attacker's infrastructure reveals a strategic use of both dormant and active accounts. While some accounts, like entire73, remain largely inactive for months, others, like brandonleeodd93-blip, were activated just weeks ago to provide immediate redundancy. The motoralis account functions as the primary operational hub, showing a surge in private repository contributions that closely align with the recent spike in LNK-based phishing lures. By conducting all activity within private repositories, the threat actor effectively conceals their malicious payloads and exfiltrated logs from public view while leveraging the high reputation of the GitHub domain to stay under the radar of corporate security filters.

Figure 9: Attacker's GitHub

3rd Stage – PowerShell Script

The final phase of the PowerShell script is fairly simple. After the previous phase handled anti-analysis measures, established persistence, and gathered initial victim data, this phase focuses on maintaining a stable connection to the Command and Control (C2) infrastructure.

The main purpose of this script is to continuously fetch additional modules or instructions from the attacker’s GitHub repository: hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim. By using the scheduled task established earlier, the malware maintains a persistent connection, enabling the attacker to monitor the victim or execute more commands and files as needed.

Figure 10: PowerShell script for C2 communication

We identified a “keep-alive” script used by the attacker to stay visible. This script specifically gathers network configuration details and uploads them to GitHub using the PUT method. The logs are stored at: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/jjyun/network/<Date>_<Time>-<IP_Address>-Real.log. This automated check-in allows the threat actor to monitor the victim’s network status in real-time, enabling further actions or more in-depth exploitation within the compromised environment.

Figure 11: PowerShell script from GitHub C2

Conclusion

This campaign shows a sophisticated grasp of social engineering, employing multiple phishing themes to boost the attack's effectiveness. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate. 

A key part of this campaign involves abusing legitimate public infrastructure. The attacker uses the GitHub API as a Command and Control (C2) channel, effectively hiding malicious traffic within normal encrypted connections. Because GitHub is a trusted open-source platform often whitelisted in corporate environments, ongoing communication and data exfiltration usually go unnoticed by standard security measures. Detecting these attacks is difficult since the actor exploits Windows' built-in capabilities. This combination of legitimate tools and trusted web services creates a highly effective infection chain. To stay protected, users should stay alert against untrusted documents and monitor for unusual PowerShell or VBScript activity in their environments.

Figure 12: Attack chain

Fortinet Protection

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

LNK/Agent.ALN!tr

The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers using these products with current signatures are protected against the malware components discussed in this report.

FortiMail detects the initial phishing emails as virus detected. Additionally, real-time anti-phishing protection provided by FortiSandbox, which is integrated across Fortinet’s FortiMail, web filtering, and antivirus solutions, enables advanced detection of both known and unknown phishing attempts. The FortiPhish phishing simulation service further enhances user resilience by actively training and testing end users against real-world phishing techniques, including impersonation, Business Email Compromise (BEC), and ransomware delivery.

The FortiGuard CDR (Content Disarm and Reconstruction) service, available on both FortiGate and FortiMail, can neutralize malicious content embedded in documents by removing active code while preserving document usability.

The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.

Organizations seeking to strengthen foundational security awareness may also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity.

If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.

IOCs

URLs

hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim

hxxps://api[.]github[.]com/repos/motoralis

SHA256

af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184 TRAMS WINBOT AI Strategic Proposal.pdf.lnk

9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc 전략적 파트너십 상세 제안서.pdf.lnk

f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421 상세 제안서 - 미래에셋 X AYC Fund.pdf.lnk

484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282 CONFIDENTIAL IOTRUST OFFER.pdf.lnk

c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5 (CONFIDENTIAL)  AIN x Mine Korea 2026.pdf.lnk