GitHub Abused by Kimsuky Hackers Delivering Malware Through LNK Files

GitHub repositories for malware delivery through sophisticated weaponized LNK files, according to recent analysis by S2W’s Threat Intelligence Center, TALON.

This campaign demonstrates the group’s evolving tactics in leveraging trusted platforms to bypass security measures and establish persistent access to victim systems.

The attack chain begins with a malicious ZIP archive named “NTS_Attach.zip” containing a weaponized LNK file disguised as an electronic tax invoice PDF.

When executed, the shortcut file “전자세금계산서.pdf.lnk” triggers a PowerShell command that downloads and executes additional malicious scripts from attacker-controlled GitHub repositories.

The North Korea-backed APT group Kimsuky has been identified exploiting GitHub repositories.

The threat actors embedded hardcoded GitHub Private Tokens directly within their scripts to access private repositories, showcasing a sophisticated understanding of GitHub’s API infrastructure.

The primary payload, main.ps1, connects to the repository “hxxps://github[.]com/God0808RAMA/group_0721/” to download both decoy documents and additional malicious components.

The script employs dynamic file management techniques, replacing placeholder strings with timestamped values to create unique identifiers for each infection. This allows attackers to track and manage multiple compromised systems through their GitHub infrastructure.

Multi-Stage Persistence Mechanism

Kimsuky latest campaign establishes persistence through a complex scheduled task mechanism.

The malware creates “MicrosoftEdgeUpdate.ps1” in the victim’s %AppData% directory and establishes a scheduled task named “BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}” that executes every 30 minutes.

This persistence mechanism enables continuous communication with the command and control infrastructure while appearing as legitimate system maintenance activity.

The info-stealer component, deployed as “temporary.ps1,” collects comprehensive system information including IP addresses, boot times, operating system details, hardware specifications, and running processes.

All collected data is systematically organized and uploaded to timestamped folders within the attacker’s GitHub repositories, creating an organized intelligence collection system.

Investigators analyzing the hardcoded GitHub tokens discovered nine private repositories associated with the campaign, including group_0717, group_0721, test, hometax, group_0803, group_0805, group_0811, fsc_doc, and repayment.

These repositories contained exfiltrated system logs, decoy documents, and files designed to appear as legitimate business communications such as payment reminders and audit reports.

Commit history analysis revealed the attacker’s email address “sahiwalsuzuki4[@]gmail.com” used during GitHub account creation.

Notably, test logs within the repositories showed evidence of remote administration tools including “xeno_rat_server” and clipboard monitoring processes, indicating the campaign’s broader objectives extend beyond initial reconnaissance.

Critical Security Implications

This campaign represents a significant evolution in APT tactics, demonstrating how threat actors can weaponize legitimate development platforms for malicious purposes.

The abuse of GitHub’s infrastructure provides attackers with reliable hosting, encrypted communications, and the ability to blend malicious traffic with legitimate development activities.

Organizations face increased challenges in detecting such activities due to the trusted nature of GitHub domains and the encrypted nature of API communications.

The use of timestamped file management and dynamic script updates allows attackers to maintain operational security while scaling their operations across multiple targets.

This approach enables real-time adaptation of malware payloads and collection strategies based on victim environments and defensive responses.

Recommended Defense Strategies

Security teams should implement comprehensive monitoring of GitHub API traffic, particularly PUT requests to “/repos/*/contents/” endpoints that could indicate data exfiltration activities.

Organizations should establish baseline monitoring for scheduled task creation, especially those with suspicious names or execution patterns consistent with malware persistence mechanisms.

Enhanced PowerShell logging and script block logging should be enabled across enterprise environments to detect suspicious script execution patterns.

Network security controls should scrutinize traffic to api.github.com and implement behavioral analysis to identify unusual repository access patterns that could indicate compromise.

Regular security awareness training focusing on LNK file risks and social engineering tactics remains crucial, as initial access vectors continue to rely on user interaction with seemingly legitimate documents and attachments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!