State-sponsored hackers in North Korea have begun using GitHub as a secret command-and-control server, and South Korean organizations are falling victim to this sophisticated multi-stage attack. Learn the full story, how the attack works and how to protect yourself
DPRK Hackers Exploit GitHub as a Cyber Weapon Targeting South Korea
If someone told you that the worlds largest developer platform GitHub has now become a secret spy channel for North Korean hackers and you might not believe it. But thats exactly whats happening. Fortinet FortiGuard Labs just a few days ago exposed a campaign thats been going on since 2024 in which North Korean state-sponsored hackers have turned GitHub into their Command and Control (C2) server. The target South Korean organizations. And this attack is so clever that most security systems ignore it thinking it to be normal traffic.
Using GitHub as C2 How Did This Idea Emerge?
First, lets understand what a C2 server is. When a hacker installs malware on someones computer and the malware needs the instructions on what to do where to go and what data to send. These instructions come from a central server called a C2 server.
In the past hackers used to use their own servers, but security teams would find and block these servers. So North Korean hackers thought why not use a place the world considers trustworthy And theres no more trusted platform in the developer community than GitHub.
GitHub is the world’s largest code hosting platform. Companies around the world conduct their daily work on it. GitHub traffic is almost never blocked in corporate networks because if blocked and developers simply can’t work.
This was the vulnerability that North Korean hackers exploited. They created private GitHub repositories, configured them as their own C2 servers and started sending data there from infected machines. To security tools this traffic looked exactly like normal GitHub API calls and no alarms were raised and no alerts were generated.
How the Attack Begins The LNK File Trap
The first step in this campaign is a phishing email. The target receives an email with a Windows shortcut filecalled a LNK file attached. This LNK file typically appears like a business document financial proposal or strategic partnership agreement. For South Korean users these files are disguised as Hangul Word Processor documents. Hangul is South Korea most popular word processor so the target remains unsuspecting.
When the user double-clicks on this file and two things happen simultaneously. First a legitimate PDF document opens on the screen and appearing completely real so that the user thinks its a normal file. Second a malicious PowerShell script silently runs in the background and leaving the user unaware that something else is happening on their computer. This technique is called a decoy document and its so effective because the person watching is assuming the document is open so everything is fine.
PowerShell-Based Malware A Clever and Stealthy Threat
When this PowerShell script runs in the background, the first thing it does is check whether it is on the computer of a security researcher or not. This is a very smart trick. The script scans the running processes nearby and looks for any virtual machine software running like VMware or VirtualBox. Any debugging tools like IDA, x64dbg dnSpy. Any forensic or analysis tools like Wireshark, Fiddler, Process Hacker or Sysinternals utilities.
If any of these things are detected, the script immediately stops leaving no trace, no logs and nothing. This means that if a security researcher tries to analyze this malware in a sandboxed environment and the malware stops itself. It only continues to grow on the computers of real victims where these tools are not available.
Once the script is sure its in a safe environment, it begins work. It decodes Base64-encoded strings and creates a randomly named folder in the %Temp% directory and saves a VBScript payload there.
Persistence Mechanism How the Malware Stays Alive After Reboot
Once the malware is installed, its biggest challenge is to stay alive even after the computer is restarted. For this this campaign uses a built-in feature of Windows called Scheduled Tasks. The script registers a scheduled task which automatically runs a VBScript file every 30 minutes.The name of this task is so boring and document like that even if a system administrator see the task list he would not suspect it to be something like Technical Paper for Create Chain Task.
This persistence mechanism is brilliant because it does not install any external software it uses Windows own tools. The security community calls this technique Living off the Land or LolBin and meaning it uses tools that are already built into Windows. No new software installed, no unusual processes so the chance of detection is very low.
GitHub Command & Control The Real Engine Behind the Attack
Now comes the most intelligent part of this attack. Once the malware is fully installed, it starts communicating with GitHub. Data about the infected machine operating system version, boot time, running processes and network configuration is pushed to private GitHub repositories. Hackers open these repositories from their side and see which systems are infected and what their state is.
In earlier versions, the GitHub C2 address and access token were hidden in the LNK file with simple string concatenation and meaning security researchers could find them with a little effort. But as time went on, operators improved their technique. Now these encoded payloads are embedded directly in the LNK files arguments, and accessed through custom decoding functions. In the latest versions, even identifying metadata has been removed file name, size, modification date etc. have all been genericized to make it difficult to link to previous campaigns.
Another clever trick is that some GitHub accounts remain completely silent for months with no activity and then suddenly become active for brief periods as backup channels. This means that even if one C2 channel is detected and another one is already ready.
Why South Korea? Understanding the Target Selection
This question comes naturally. Both the names of LNK files and the topics of the decoy PDFs are specifically tailored to the South Korean business environment: Korean company names, financial proposals, and strategic partnerships. The files use the Hangul Document label which appears completely normal to South Korean users.
A separate report by the Trellix Advanced Research Center also revealed that DPRK-linked actors carried out 19 spear-phishing attacks on South Korean diplomatic missions in early 2025, sending fake diplomatic invitations and meeting requests to embassies. This is part of North Koreas ongoing cyber espionage campaign against South Korea and aimed at intelligence gathering and surveillance not money, but information.
How the Attack Campaign Continuously Change
What makes this campaign most dangerous is that it is not static and it is learning and growing. In the early versions of 2024 obfuscation was minimal and metadata was identifiable and the GitHub C2 address was easily readable. Security researchers tracked these signatures and linked the attacks to the Kimsuki APT37 and Lazarus groups.
But when researchers published these findings, operators immediately changed their techniques. They added obfuscation layers removed metadata and improved payload delivery mechanisms. Its a cat and mouse game each detection is followed by a new evolved version. This is why Fortinet is still calling this campaign ongoing. It hasn’t stopped, but has become even more clever.
What Makes This Threat So Hard to Defend Against?
The biggest problem with this attack is that it uses mostly normal things. PowerShell is a normal Windows tool. VBScript is a normal Windows tool. Scheduled Tasks is a normal Windows feature. GitHub traffic is normal corporate traffic. No exotic malware, no unusual software, no suspicious domains.
Traditional security tools that search for known malware signatures or block blacklisted domains are almost useless here. They can not block GitHub, they can’t block PowerShell, and without these tools and development teams can’t function. Therefore detecting this attack relies on behavioral analysis to see whats happening differently than normal.
Another problem is that defenders can’t directly inspect private GitHub repositories. Traffic is encrypted and appears normal and only odd things in volume or timing may raise suspicion.
Recommended Actions Practical Steps for Defenders
The first step to avoiding this campaign is user education. South Korean organizations should train their employees to never open LNK files as email attachments and no matter how legitimate they appear. If a document was not expected and suddenly arrives and verify it with the sender through an alternate channel first.
Its important to deploy Endpoint Detection and Response (EDR) solutions that perform behavioral analysis. If a VBScript is being written in the %Temp% directory and a scheduled task is being registered and the combination is suspicious even if the individual actions appear normal. EDR may flag this pattern.
Monitoring outbound GitHub API connections is also important and especially if a machine is pushing data to GitHub with unusual frequency or communicating with the repositories that have no connection to a legitimate business tool. These anomalies are difficult to detect but possible.
Finally organizations should consider not relying solely on file-based detection. File signatures are not effective when attackers are using native Windows tools; process behavior, network behavior and identity behavior must be monitored.
Conclusion
What makes this campaign truly alarming is that its not just an attack its an evolving and state-backed resource-rich operation that learns from its mistakes and constantly improves itself. Its been running since 2024 still running in 2026 and is becoming more difficult to detect with each new version.
GitHub the platform where developers around the world put their code, where open source projects run, where companies do their work, has now become a weapon in the hands of North Korea. This is a reminder that cyber attackers don’t need new tools and they weaponize what is already trusted and widely used. And that’s what makes them so dangerous.
Its time for South Korean organizations to fundamentally rethink their security posture because the enemy they face is not only technically capable its also patient, adaptive and government-backed.
