Attackers are constantly looking to develop their tactics and technologies for increased success, requiring ongoing intelligence and advancement in security to account for the evolution of risk. Recently, threat actors linked to the DPRK have been seen shifting from loud, destructive operations to quiet, persistent surveillance campaigns. The South Korean corporate sector is a primary target of their efforts, with attacks leveraging finance, investment, and strategic partnership lures as initial entry vectors.
A newly documented campaign detected by Fortinet’s Fortiguard Labs is a manifestation of several noted trends in DPRK-attributed malicious activity. These threats have demonstrated the evolution of attackers’ use of Windows shortcut (LNK) files from simply a crude delivery mechanism to a sophisticated, obfuscated multi-stage launcher.
Anatomy of the Attack Chain
The chain of attack in the campaign documented by Fortiguard Labs takes place in multiple stages. The first is the initial distribution of LNK files with embedded payloads decoded via XOR. The payloads drop decoy PDFs while silently executing PowerShell commands. This stage in previous versions of the attack was obfuscated using character concatenation, with file metadata tying these earlier iterations to the newer version of the attack, including basic character decoding functions.
The second stage of the attack is the carrying out of anti-analysis environment checks. The script first scans for active processes tied to virtual machines, debuggers, and forensic tools, terminating the attack immediately upon detection of any of over 40 types of tools and analysis software. If no analysis is found, the script moves on to decoding encoded strings and saving the payload in a folder. This stage also establishes persistent access and collects detailed information about the target system.
The third stage is running scheduled task persistence every 30 minutes, exfiltrating system and network telemetry to GitHub via PUT requests. This enables the threat actors to maintain consistent control and access, continue to monitor the target system, and execute further commands or files.
GitHub as Command-and-Control: The Trust Exploitation Playbook
These attacks rely on GitHub API as a channel for command-and-control (C2), rendering malicious traffic indistinguishable from legitimate developer activity over encrypted HTTPS connections. The threat actors use private repositories as dead-drop storage for stolen logs, network configuration data, and additional payload modules. With a network of coordinated accounts—including motoralis, brandonleeodd93-blip, and God0808RAMA—these attackers mix dormant and freshly activated profiles for redundancy.
The use of these channels and tactics indicates that the attack is designed for evasion that takes advantage of commonly trusted tools. “The attackers use the GitHub API to hide their data exfiltration within standard encrypted developer traffic,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “Because enterprises implicitly trust platforms like GitHub, this malicious communication often goes completely unnoticed by conventional security telemetry.”
Living off the Land: Why No Custom Malware is the Most Dangerous Malware
The documented attacks use a LolBins strategy that replaces dropped executables with PowerShell, WScript, and Scheduled Tasks, eliminating most signature-based detection surfaces and enabling attackers to go unnoticed. The campaign also takes advantage of the problem of whitelisted tools, meaning that corporate security tools that trust GitHub by default become unwitting accomplices in malicious activity.
The low detection rate of these attacks is achieved not through technical sophistication, but through operational discipline and abuse of institutional trust. “By relying on native utilities like PowerShell and scheduled tasks instead of dropping recognizable custom malware, these attackers turn a network's own administrative functions against the organization,” according to Soroko. “This evolution in tradecraft allows malicious activity to blend seamlessly into daily system operations and bypass traditional perimeter defenses.”
Rethinking Trust as a Security Primitive
This campaign exposes a fundamental flaw in perimeter-based security logic—the legitimacy of infrastructure does not equal traffic safety. In order to address threats like this, organizations are encouraged to implement behavioral monitoring of native Windows tools and API call patterns as a necessary shift in defensive posture. This campaign has broad implications for enterprise security architecture as adversaries systematically colonize trusted platforms—in today’s attack, it was GitHub, but tomorrow it could be anything.
