In January 2026, a campaign involving the MoonPeak malware was observed by IIJ, targeting Korean users through malicious LNK shortcut files. These LNK files execute obfuscated PowerShell scripts that first check for sandbox or analysis environments to evade detection. The scripts then create additional scripts and establish persistence mechanisms on the infected host. The second stage of the infection downloads the MoonPeak payload from GitHub, a legitimate and trusted platform, exemplifying the Living Off Trusted Sites (LOTS) technique which complicates detection and blocking efforts. MoonPeak itself is obfuscated using ConfuserEx, a .NET obfuscator, making reverse engineering and signature-based detection more difficult. Once executed, MoonPeak communicates with a command and control (C2) server to receive instructions and potentially exfiltrate data. The attack chain leverages multiple MITRE ATT&CK techniques including user execution via LNK files (T1204.002), obfuscated files or information (T1027), persistence through registry run keys (T1547.001), and command and scripting interpreter usage (T1059.001). The use of GitHub as a malware hosting platform allows the adversary to blend malicious activity with legitimate traffic, increasing the challenge for defenders. Although the campaign is currently focused on Korean users, the techniques and delivery mechanisms are applicable globally, especially to organizations using Windows environments that support LNK files and PowerShell. The threat actor is attributed to North Korea (DPRK), known for persistent cyber espionage and disruptive operations. No known exploits in the wild have been reported beyond the described infection chain, but the sophistication and stealth of the campaign warrant attention.

For European organizations, the MoonPeak malware campaign presents a significant risk due to its stealthy infection vector and use of trusted platforms for payload delivery. If successful, the malware can establish persistence, enabling long-term access to compromised systems, potentially leading to espionage, data theft, or disruption of operations. The use of obfuscated PowerShell scripts and LOTS techniques complicates detection by traditional antivirus and network security tools. European organizations with Windows environments that allow execution of LNK files and PowerShell scripts are vulnerable, especially if users are not trained to recognize suspicious files or if endpoint protections are insufficient. The campaign’s reliance on GitHub for hosting payloads may bypass some network filtering rules, increasing the likelihood of successful payload delivery. The medium severity rating reflects the need for user interaction and the absence of zero-day exploits, but the persistence and stealth capabilities increase the potential impact on confidentiality and integrity of sensitive data. Additionally, the geopolitical context of North Korean threat actors targeting global victims suggests that critical infrastructure, government entities, and industries with strategic importance in Europe could be targeted for espionage or disruption.

1. Implement strict email and endpoint filtering to block or quarantine LNK files and other suspicious attachments, especially from unknown or untrusted sources. 2. Enforce application whitelisting policies that restrict execution of PowerShell scripts and LNK files unless explicitly authorized. 3. Enable PowerShell logging and monitor for obfuscated or suspicious script execution patterns to detect early signs of infection. 4. Use endpoint detection and response (EDR) solutions capable of identifying LOTS techniques and anomalous GitHub traffic related to malware downloads. 5. Educate users about the risks of opening unsolicited shortcut files and the importance of verifying file origins. 6. Restrict or monitor outbound network connections to GitHub repositories that are not business-critical, and consider implementing network segmentation to limit lateral movement. 7. Regularly update and patch systems to reduce the attack surface, and conduct threat hunting exercises focusing on persistence mechanisms such as registry run keys and scheduled tasks. 8. Employ multi-factor authentication and least privilege principles to limit the impact if credentials are compromised. 9. Collaborate with threat intelligence providers to stay updated on emerging indicators of compromise (IOCs) related to MoonPeak and similar threats. 10. Conduct regular backups and verify recovery procedures to mitigate potential data loss or ransomware scenarios linked to persistent malware presence.