North Korea-Linked Hackers Use GitHub as C2 Infrastructure to Attack South Korea

Executive Summary FortiGuard Labs has identified a sophisticated multi-stage attack campaign attributed to the North Korea-linked threat actor Kimsuky . The group is abusing GitHub as a living-off-the-land Command and Control (C2) infrastructure to target South Korean organizations. The attack chain starts with obfuscated Windows Shortcut ( LNK ) files delivered via phishing emails. These LNK files deploy decoy PDF documents while silently executing PowerShell scripts in the background. The scripts perform anti-analysis checks, establish persistence through scheduled tasks, and exfiltrate collected data to GitHub repositories using hardcoded access tokens. Additional modules and commands are also retrieved from the same GitHub repositories. This campaign highlights the increasing trend of state-sponsored actors abusing legitimate cloud platforms and native Windows tools (LOLBins) to lower detection rates and maintain long-term access. Attack Chain Breakdown Initial Access Phishing emai