DPRK-Related Campaigns with LNK and GitHub C2
FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
AI Analysis
Technical Summary
This campaign involves malicious LNK shortcut files used in attacks targeting South Korean users. The attackers use a multi-stage scripting process and leverage GitHub repositories as C2 infrastructure, which helps evade traditional detection mechanisms. Historical analysis shows earlier versions of these LNK files had less obfuscation and included metadata that linked them to the distribution of XenoRAT malware. The campaign is attributed to DPRK-related actors and has been observed since 2024. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables attackers to execute multi-stage scripts via malicious LNK files, potentially leading to the deployment of XenoRAT malware on victim systems. This could result in unauthorized remote access and data compromise. The use of GitHub as C2 infrastructure complicates detection and mitigation efforts. However, there are no reports of widespread exploitation or active incidents beyond the detection of these files.
Mitigation Recommendations
No official patches or fixes are available for this campaign. Organizations should monitor for the identified LNK file hashes and suspicious use of GitHub repositories as C2 channels. Employ endpoint protection solutions capable of detecting malicious LNK files and multi-stage scripting attacks. User awareness training to avoid opening suspicious shortcut files is recommended. Since this is a campaign rather than a software vulnerability, remediation focuses on detection and prevention rather than patching.
Affected Countries
South Korea
Indicators of Compromise
- hash: 484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282
- hash: 9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc
- hash: af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184
- hash: c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5
- hash: f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421
DPRK-Related Campaigns with LNK and GitHub C2
Description
FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves malicious LNK shortcut files used in attacks targeting South Korean users. The attackers use a multi-stage scripting process and leverage GitHub repositories as C2 infrastructure, which helps evade traditional detection mechanisms. Historical analysis shows earlier versions of these LNK files had less obfuscation and included metadata that linked them to the distribution of XenoRAT malware. The campaign is attributed to DPRK-related actors and has been observed since 2024. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables attackers to execute multi-stage scripts via malicious LNK files, potentially leading to the deployment of XenoRAT malware on victim systems. This could result in unauthorized remote access and data compromise. The use of GitHub as C2 infrastructure complicates detection and mitigation efforts. However, there are no reports of widespread exploitation or active incidents beyond the detection of these files.
Mitigation Recommendations
No official patches or fixes are available for this campaign. Organizations should monitor for the identified LNK file hashes and suspicious use of GitHub repositories as C2 channels. Employ endpoint protection solutions capable of detecting malicious LNK files and multi-stage scripting attacks. User awareness training to avoid opening suspicious shortcut files is recommended. Since this is a campaign rather than a software vulnerability, remediation focuses on detection and prevention rather than patching.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2"]
- Adversary
- null
- Pulse Id
- 69cfceee4f7a6c4305b3d1a4
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282 | — | |
hash9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc | — | |
hashaf0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184 | — | |
hashc0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5 | — | |
hashf20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421 | — |
Threat ID: 69cff22d0a160ebd924486ea
Added to database: 4/3/2026, 5:00:29 PM
Last enriched: 4/3/2026, 5:15:56 PM
Last updated: 4/4/2026, 5:43:18 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.