DPRK-Related Campaigns with LNK and GitHub C2

    Friday, April 3, 2026 In: Threat Research Print

    Date: 04/03/2026

    Severity: High

    Summary

    Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution. Recently, attackers have evolved tactics by embedding decoding functions and encoded payloads directly within the LNK files. Decoy PDF titles suggest the campaign targets multiple Korean companies, indicating expanded surveillance efforts.

    Indicators of Compromise (IOC) List

    Domains/URLs : 

    https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim

    https://api.github.com/repos/motoralis

    Hash

    af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184

    9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc

    f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421

    484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282

    c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim" or url like "https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim" or siteurl like "https://raw.githubusercontent.com/motoralis/singled/main/kcca/paper.jim" or domainname like "https://api.github.com/repos/motoralis" or url like "https://api.github.com/repos/motoralis" or siteurl like "https://api.github.com/repos/motoralis" 

    Detection Query 2 :

    sha256hash IN ("af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184","9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc","f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421","484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282","c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5")

    Reference:    

    https://www.fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2       


    Tags

    MalwareThreat ActorDPRKSouth KoreaXenoRATRAT

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.