A series of malicious LNK files targeting users in South Korea has been detected using a multi-stage attack chain that uses GitHub as command and control (C2) infrastructure.

The campaign relies on scripting, encoded payloads and legitimate Windows tools to maintain persistence while avoiding detection. Earlier versions of the attack date back to 2024 but contained more metadata and simpler obfuscation, allowing researchers to track links to earlier malware campaigns.

According to a new advisory published by Fortinet on April 2, recent versions show clear changes in tactics.

The attacker now embeds decoding functions directly within LNK file arguments and includes encoded payloads inside the files themselves. Decoy PDF documents are used to distract victims while malicious scripts execute silently in the background. The files appear legitimate when opened, while PowerShell scripts run without the user's knowledge.

"Modern cyber espionage has fundamentally shifted toward a highly evasive strategy known as living-off-the-land [LOTL]," said Jason Soroko, senior fellow at Sectigo.

Multi-Stage Infection Process

The attack begins with LNK files containing hidden scripts that retrieve PowerShell commands from GitHub.

As mentioned above, later variants introduced decoding functions and removed identifying metadata, making attribution more difficult. The files drop a decoy PDF while silently executing PowerShell scripts in the background.

In the second stage, the PowerShell script performs several tasks designed to keep the attack hidden and maintain access to the system, including:

• Checking for virtual machines (VM) or security analysis tools

• Decoding and storing additional payloads

• Creating scheduled tasks for persistence

• Collecting system information

• Uploading logs to GitHub repositories

The malware creates scheduled tasks that run every 30 minutes using VBScript to execute hidden PowerShell commands. System information such as OS version, last boot time and running processes is collected and exfiltrated to GitHub using hardcoded access tokens.

Read more on malware persistence techniques: Chinese Hackers Use Trusted ArcGIS App For Year-Long Persistence

Persistent Access Through GitHub

In the final stage, the malware continuously connects to GitHub repositories to download additional instructions or modules, maintaining communication with the attacker and enabling further activity on compromised systems.

A keep-alive script uploads network configuration details, allowing the attacker to monitor infected machines and maintain access over time.

"This attack demonstrates how malicious actors can turn legitimate infrastructure into a novel attack surface," said Jamie Boote, senior manager at Black Duck.

"The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors," he added.

By using Windows built-in utilities and GitHub infrastructure, attackers can indeed blend malicious traffic with normal activity, making detection significantly more difficult for corporate security systems.