In January 2026, It was identified a malicious LNK file that executed malware linked to attack campaigns targeting users in South Korea. Analysis showed that the LNK file was used to launch MoonPeak, a variant of XenoRAT, which is associated with a threat actor believed to be affiliated with North Korea (DPRK).
This article describes the newly observed attack campaign, with a particular focus on the infection flow—details that have not been fully covered in existing public reports.
Stage 1: Malicious LNK File
Filename:
실전 트레이딩 핵심 비법서.pdf.lnk
(“Practical Trading Core Secrets.pdf.lnk”)
Based on the filename, the LNK file appears to be designed to lure South Korean investors, likely with the goal of generating foreign currency—an objective commonly observed in DPRK-linked operations.
When the victim opens the LNK file, the following actions occur:
- A decoy PDF file embedded in the LNK (XOR-encoded) is displayed to the user.
- At the same time, an obfuscated PowerShell script is executed in a hidden window (
-WindowStyle Hidden).
PowerShell Script Behavior
The PowerShell script performs several key functions:
- Environment detection:
It checks for processes commonly associated with virtual machines and malware analysis tools. If any are detected, execution immediately terminates. This behavior is intended to evade sandbox environments and security researchers. Virtualization-related processes include:vmxnet.exe,vmusrvc.exe,vmsrvc.exe,vmtoolsd.exe,vmwaretray.exe,vboxservice.exe,vboxtray.exeAnalysis and debugging tools include:ida.exe,ida64.exe,dnspy.exe,x64dbg.exe,x32dbg.exe,OllyDbg.exe,Wireshark.exe,Fiddler.exe,ProcessHacker.exe,Procmon.exe,tcpview.exe,autoruns.exe, and many others. - File creation:
The script creates a randomly named folder (eight characters) in the system’s temporary directory. Inside this folder, it drops:- A malicious PowerShell script
- A malicious VBScript
Both files use random eight-character filenames and extensions.
- Script execution setup:
- The PowerShell script downloads and executes another PowerShell payload from
hxxp://mid[.]great-site[.]net/realzan/viewpoi.txt
The downloaded script is deleted immediately after execution. - The VBScript launches the PowerShell script in a hidden window and bypasses execution policy restrictions.
- The PowerShell script downloads and executes another PowerShell payload from
- Persistence mechanism:
A scheduled task is created to automatically execute the VBScript viawscript.exe, ensuring persistence across reboots. - System information exfiltration:
The script sends system data—including host and domain information, OS version, and process lists—via an HTTP POST request to:hxxp://mid[.]great-site[.]net/maith.phpAlong with this data, a randomly generated four-character string and a predefined marker string are transmitted. Additionally, AES-encrypted data is included, which is decrypted using JavaScript retrieved from:hxxp://mid[.]great-site[.]net/aes.jsAlthough the exact purpose of this endpoint is unclear, it likely serves as a beacon to notify the threat actor that a system has been successfully compromised.
Stage 2: PowerShell Script (viewpoi.txt)
The PowerShell script created in Stage 1 downloads and executes viewpoi.txt, which retrieves a payload from a GitHub repository controlled by the threat actor.
The repository hosted the file: octobor.docx
Source: hxxps://raw[.]githubusercontent[.]com/macsim-gun/FinalDocu/main/octobor.docx
We reported the repository to GitHub, and it was taken down on January 14, 2026.
Repository Details
The GitHub repository was committed using the following account:
- Author email: sandamalmacsim@gmail[.]com
- Commit ID: d8e96e777de3234e0771e6c53b7c09a659542f12
- Commit date: December 25, 2025 (JST)
This email address is likely linked to the threat actor.
Payload Extraction
After the octobor.docx file is downloaded:
- The first seven bytes are replaced with a valid GZIP header (
1F 8B 08 00 00 00 00). - The file is then decompressed as GZIP data.
- The extracted payload is an executable named Stella.exe.
This executable is loaded and executed directly in memory using Assembly.Load, avoiding writing the binary to disk.
Stage 3: MoonPeak Malware (Stella.exe)
Stella.exe is the MoonPeak malware payload, protected using ConfuserEx, a widely used .NET obfuscation tool.
Normally, .NET assemblies can be easily decompiled using tools such as dnSpy or dotPeek. However, ConfuserEx introduces multiple layers of protection, including:
- String encryption
- Control flow obfuscation
- Anti-tampering mechanisms
As a result, decompilers often fail or produce corrupted output.
Anti-Tampering Mechanism
The malware uses ConfuserEx’s anti-tampering feature, which dynamically decrypts the code inside the module constructor (<Module>.<Module>()) at runtime. This prevents static analysis.
By extracting the decrypted module from memory during dynamic analysis and applying deobfuscation tools such as de4dot, it is possible to recover the original code for further analysis.
Configuration Details
Analysis revealed the following configuration values:
- Mutex:
Dansweit_Hk65-PSAccerdle8 - C2 Server:
27.102.137[.]88:443
The overall functionality and behavior of this MoonPeak sample closely match previous versions documented in the Trellix report published in August 2025, indicating that the threat actor continues to reuse the same malware and techniques.
Indicators of Compromise (IoCs)
Files
| SHA-256 | Filename |
|---|---|
| 1553bfac012b20a39822c5f2ef3a7bd97f52bb94ae631ac1178003b7d42e7b7f | 실전 트레이딩 핵심 비법서.pdf.lnk |
| aaac6eadac6c325bfc69b561d75f7cfd979ac289de1cc4430c5cc9a9a655b279 | octobor.docx |
| 8de36cb635eb87c1aa0e8219f1d8bf2bb44cad75b58ef421de77dd1aae669bf4 | Stella.exe |
Email Address
- sandamalmacsim@gmail[.]com
Network Indicators
- Payload delivery server:
mid.great-site[.]net - MoonPeak C2 server:
27.102.137[.]88
Conclusion
As seen in previous campaigns, the threat actor once again abused GitHub as a malware hosting platform. This tactic—known as LOTS (Living Off Trusted Sites)—leverages trusted services to evade detection and increase the likelihood of successful infection.
Given the continued reliance on this technique, similar abuse of legitimate platforms is likely to persist. Ongoing vigilance and monitoring are essential.
The GitHub account and repository used in this campaign have since been taken down.
In recent years, DPRK-linked threat actors have carried out attacks worldwide, including in Japan, posing a serious risk not only to governments and enterprises but also to individual users. We will continue to analyze DPRK-associated threat activity and share findings to help improve overall cybersecurity.
