Key Findings

• North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024

• Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines

• GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems

• The malware evades detection by checking for security tools and virtual environments before executing, then uses XOR encryption to hide from antivirus software

• Recent campaign variants avoid traditional malware in favor of living-off-the-land techniques using native Windows utilities

Background

FortiGuard Labs researchers uncovered the operation and traced it to North Korean state-sponsored groups including Kimsuky, APT37, or Lazarus. The fingerprints are unmistakable - the attackers use a naming convention called Hangul Document, a calling card favored by these groups when targeting Korean users. The campaign has been active since 2024 but has recently evolved to become far stealthier and more effective at avoiding detection.

The Attack Method

The infection starts deceptively simple. Victims receive phishing emails with multiple social engineering angles - fake purchase orders, technical papers, and other business documents designed to appeal to different employees. When a user opens an LNK file attachment, two things happen simultaneously. A decoy PDF appears on screen to keep the victim distracted while background scripts begin running silently.

The initial script acts as a security checkpoint, scanning for debugging tools like Wireshark, Fiddler, x64dbg, and Procmon. It also checks for virtual environments such as vmtoolsd. If any of these are detected, the script terminates immediately to avoid being studied by researchers. If the computer appears clean, the malware proceeds to obfuscate its code using XOR encryption, making it largely invisible to basic antivirus solutions.

Persistence Through GitHub

What makes this campaign particularly effective is how attackers maintain communication and exfiltrate data. Rather than using their own infrastructure, they leverage GitHub - a platform trusted across corporate networks. Researchers identified multiple attacker accounts including motoralis, Pigresy80, and brandonleeodd93-blip that host stolen information in private repositories. This approach is brilliant operationally because GitHub traffic typically passes through security systems without triggering alarms.

To maintain persistence, attackers establish a Scheduled Task disguised as a legitimate technical paper update for something called the Creata Chain Task. This task wakes the malware every 30 minutes, ensuring consistent access to the compromised system.

Evolution of Capabilities

Earlier versions of this operation spread XenoRAT malware, which provided remote access capabilities. The current iteration has shifted focus toward deep surveillance and reconnaissance. Modern versions steal operating system versions, build numbers, active process lists, and other system information, sending keep-alive logs back to the attackers. This reconnaissance data helps the hackers understand their targets better and plan additional operations.

Expert Assessment

Industry analysts emphasize the sophistication of this approach. Jason Soroko from Sectigo notes that modern cyber espionage has "shifted toward a highly evasive strategy known as living off the land." By using PowerShell and scheduled tasks instead of custom malware, attackers weaponize the network's own administrative functions against the organization.

Jamie Boote from Black Duck highlighted another critical concern: legitimate infrastructure like GitHub has become an attack surface. The fact that a simple shortcut file can trigger a chain of events ultimately reaching GitHub repositories to pull malicious scripts should alert network defenders that even productivity platforms warrant security scrutiny.

Defense Recommendations

Organizations should implement heightened awareness around unexpected file attachments, particularly LNK shortcut files. Monitoring outbound connections to cloud repositories and implementing restrictions on GitHub access from sensitive systems would help mitigate this threat. Additionally, enhanced logging of PowerShell and scheduled task activity can help detect similar campaigns in progress.

Sources

• https://hackread.com/north-korean-hackers-github-spy-south-korean-firms/

• https://x.com/Dinosn/status/2040147176383299938

• https://x.com/HackRead/status/2040115343323021446

• https://x.com/cybernewslive/status/2040211386928660656

• https://www.reddit.com/r/InfoSecNews/comments/1sbjf7o/north_korean_hackers_abuse_github_to_spy_on_south/