DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

State-sponsored threat actors linked to North Korea (DPRK) are leveraging GitHub as command-and-control infrastructure in sophisticated multi-stage attacks targeting organizations in South Korea. The attack chain initiates through obfuscated Windows shortcut (LNK) files that deliver decoy PDFs to disguise malicious activity. By abusing legitimate platforms like GitHub for C2 communications, the actors evade traditional network detection mechanisms. Organizations in South Korea, particularly those in government and defense sectors, should remain vigilant against social engineering lures and unusual LNK file execution. Mitigation includes user awareness training, application whitelisting, and monitoring for GitHub API communications to suspicious endpoints.

Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF

State-sponsored threat actors linked to North Korea (DPRK) are leveraging GitHub as command-and-control infrastructure in sophisticated multi-stage attacks targeting organizations in South Korea. The attack chain initiates through obfuscated Windows shortcut (LNK) files that deliver decoy PDFs to disguise malicious activity. By abusing legitimate platforms like GitHub for C2 communications, the actors evade traditional network detection mechanisms. Organizations in South Korea, particularly those in government and defense sectors, should remain vigilant against social engineering lures and unusual LNK file execution. Mitigation includes user awareness training, application whitelisting, and monitoring for GitHub API communications to suspicious endpoints. Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF