Ddos 
Attack chain | Image: FortiGuard Labs
A sophisticated new cyberespionage campaign is leveraging the trust of major public platforms to slip past corporate defenses. According to a recent analysis by FortiGuard Labs, threat actors are currently targeting users in South Korea using a multi-stage scripting process that remarkably weaponizes GitHub as its command-and-control (C2) infrastructure.
The attack begins with malicious LNK (shortcut) files delivered via phishing emails. To maximize their success rate, the attackers employ multiple high-pressure themes tailored to corporate environments.
Researchers identified several decoy PDF titles used to lure victims, including:
- “Head of Trading/Strategic Investment Division” recruitment proposals.
- “Strategic Partnership Proposals” referencing future financial trends like “Mirae Asset 3.0”.
- “Strictly Confidential” total recruitment offer documents.
While earlier versions of these LNK files from 2024 were less complex, the threat actor has significantly sharpened their tactics in recent months. The latest iterations embed decoding functions directly within the LNK arguments and carry encoded payloads hidden inside the files themselves.
Instead of relying on easily detectable custom malware, the operation “lives off the land.” As the report highlights:
“Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence”.
By using these Living-off-the-Land Binaries (LolBins), the attackers can maintain a low detection rate while targeting a broad audience.
The most defining characteristic of this campaign is the abuse of legitimate public infrastructure. The attackers use the GitHub API to manage their malicious traffic, effectively masking their communication within the sea of normal, encrypted connections to the platform.
The analysis notes the strategic advantage of this choice:
“Because GitHub is a trusted open-source platform often whitelisted in corporate environments, ongoing communication and data exfiltration usually go unnoticed by standard security measures”.
Once the victim clicks the LNK file, a multi-stage scripts begins:
- Stage 1: The LNK file executes an embedded command to drop a VBScript.
- Stage 2: The VBScript triggers a PowerShell script and establishes persistence via the Windows Task Scheduler.
- Stage 3: The PowerShell script connects to the GitHub C2 to download and execute final payloads, which in previous versions have included the XenoRAT malware.
The combination of social engineering, trusted web services, and native Windows tools creates a highly effective infection chain that is difficult to disrupt.
To defend against these “invisible” intrusions, FortiGuard Labs recommends that users remain highly alert against untrusted documents. Organizations should specifically “monitor for unusual PowerShell or VBScript activity” in their environments—especially scripts attempting to communicate with public repositories or cloud APIs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
