DPRK-Related Campaigns with LNK and GitHub C2

FortiGuard Labs describes a high-severity LNK-based phishing campaign targeting organizations in South Korea that leverages obfuscated LNK arguments and embedded Base64/XOR-encoded payloads to execute PowerShell and VBScript, perform anti-analysis checks, establish scheduled-task persistence, and exfiltrate system and network data to GitHub (including repositories and raw content URLs). The actor uses GitHub API calls and hardcoded tokens as C2/exfiltration channels, minimizes dropped PE files by abusing native Windows tools, and the report includes multiple IOCs (GitHub URLs and SHA256 LNK file hashes).