Stealth Cyber Campaign Targets South Korea Using LNK Files and GitHub as C2 Channel

CyberDefender 11 mins0

Cyber threats continue to evolve, and recent findings highlight a sophisticated campaign targeting users in South Korea through malicious LNK files. This attack chain demonstrates how threat actors are refining their techniques—moving from simple obfuscation to layered, stealthy execution using legitimate platforms like GitHub as Command and Control (C2) infrastructure.

This blog breaks down the multi-stage infection process, explains how attackers maintain persistence, and explores why this campaign is particularly difficult to detect.

Fake decoy PDF, Source : fortinet

The Evolution of LNK-Based Attacks

Shortcut (LNK) files have long been abused in phishing campaigns, but this operation shows a clear progression in sophistication. Earlier variants from 2024 relied on basic character concatenation to obscure malicious code, making detection relatively straightforward for analysts. However, recent versions have significantly improved obfuscation techniques.

Threat actors now embed decoding logic directly into LNK arguments. Instead of pulling payloads from external sources in a visible manner, the malicious code is encoded within the file itself and decoded at runtime. This shift reduces observable indicators and complicates static analysis.

Interestingly, earlier samples contained metadata such as filenames and modification timestamps, which helped link campaigns together. These identifiers have now been removed, indicating a deliberate effort to evade attribution.

Stage One: Weaponized LNK Files

The infection begins when a user opens a seemingly legitimate LNK file, often disguised as a document such as a PDF proposal or business report. The naming convention and decoy content suggest targeted phishing against organizations in South Korea.

Within the LNK file, a decoding function—commonly referred to as p1—is used to reconstruct embedded payloads. This function takes parameters like location, length, and an XOR key to decode both:

  • A decoy PDF file (to distract the victim)
  • A hidden PowerShell script (to initiate the attack)

The decoy file opens normally, creating the illusion of legitimacy, while the malicious script executes silently in the background.

LNK file with PowerShell script, Source : Fortinet

Stage Two: PowerShell-Based Execution and Persistence

Once decoded, the PowerShell script performs multiple actions designed to ensure stealth and persistence.

The first step is environment validation. The script scans running processes to detect analysis tools, virtual machines, or debugging environments. It checks for a wide range of tools including: vmxnet, vmtoolsd, vboxservice, Wireshark, Fiddler, x64dbg, OllyDbg, ProcessHacker, Procmon, tcpview, and many others.

If any of these are found, execution stops immediately—an effective anti-analysis mechanism.

After confirming a safe environment, the script decodes additional payloads and stores them in a randomly generated directory within the system’s temporary folder. This helps avoid detection by traditional signature-based tools.

Persistence is then established using a Scheduled Task. A VBScript is created to execute the PowerShell payload in a hidden window every 30 minutes. The task is intentionally disguised with a long and technical name: “Technical Paper for Creata Chain Task S-1-12-12-3-1231241245BVSKLERh-SD234GHSI56”

This naming strategy reduces suspicion while ensuring continuous execution. The script also gathers system information, including:

  • Operating system version and build
  • Last boot time
  • Active processes

This data is saved in a log file using the format: <timestamp>-<IP_address>-BEGIN.log

The log is then exfiltrated via the GitHub API using a hardcoded access token: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/kcca/technik
Token: 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

Abuse of GitHub as C2 Infrastructure

One of the most notable aspects of this campaign is the use of GitHub for command and control operations. Instead of relying on traditional malicious servers, the attacker leverages a trusted platform to blend in with normal traffic.

The GitHub account motoralis appears to act as the primary hub, supported by additional accounts such as:

  • God0808RAMA
  • Pigresy80
  • entire73
  • pandora0009
  • brandonleeodd93-blip

These accounts demonstrate a mix of dormant and active behavior, suggesting a redundancy strategy to maintain operational continuity.

By storing payloads and logs in private repositories, attackers avoid public scrutiny while benefiting from GitHub’s reputation as a trusted domain—often whitelisted in enterprise environments.

Stage Three: Maintaining C2 Communication

In the final stage, the malware ensures continuous communication with the attacker’s infrastructure. It periodically retrieves instructions or additional payloads from: hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim

A “keep-alive” script is also used to collect network configuration data and upload it back to GitHub:

hxxps://api[.]github[.]com/repos/motoralis/singled/contents/jjyun/network/_-<IP_Address>-Real.log

This enables real-time monitoring of compromised systems and allows attackers to adapt their actions dynamically.

Indicators of Compromise (IOCs)

URLs

  • hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim
  • hxxps://api[.]github[.]com/repos/motoralis

SHA256 Hashes

  • af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184
  • 9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc
  • f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421
  • 484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282
  • c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5
Complete Attack Chain

Conclusion

This campaign highlights a growing trend in cyberattacks: the blending of legitimate tools and trusted platforms to evade detection. By relying heavily on PowerShell, VBScript, and GitHub, attackers reduce their footprint while maintaining high operational efficiency.

The absence of traditional malware binaries and the use of “living off the land” techniques make this attack particularly challenging to detect with conventional security solutions. Organizations must shift toward behavioral monitoring and anomaly detection to counter such threats effectively.

Our Perspective on This Campaign

What stands out most in this campaign is not just the technical execution, but the strategic mindset behind it. The attackers are clearly prioritizing stealth over complexity. Instead of deploying sophisticated custom malware, they are leveraging tools already present in the Windows ecosystem, which dramatically lowers their detection risk.

The use of GitHub as a C2 channel is especially concerning. It reflects a broader trend where threat actors abuse trusted cloud services to bypass traditional defenses. Since blocking platforms like GitHub is rarely practical in enterprise environments, defenders are left with limited options unless they adopt deeper traffic inspection and behavioral analytics.

Another key takeaway is the iterative improvement in the attack chain. The removal of metadata, improved encoding techniques, and better anti-analysis checks show that the threat actor is actively learning and adapting. This suggests a persistent and well-resourced adversary rather than opportunistic attackers.

In our view, this campaign reinforces the need for organizations to move beyond signature-based detection. Security teams should focus on monitoring script execution, unusual scheduled tasks, and outbound API communications. User awareness also remains critical—because even the most advanced attack still begins with a simple click.

CyberDefender