What are DPRK phishing LNK attacks?

Phishing emails with Windows shortcut (.LNK) files that drop decoy PDFs and run hidden PowerShell to connect to GitHub for malware control.

How do hackers use GitHub as C2?

They host payloads in public repos or gists; malware polls GitHub's API or raw files for commands, blending with normal dev traffic.

How can South Korean companies protect against this?

Enable strict PowerShell logging, filter LNK attachments, monitor GitHub domain traffic, and use EDR for anomalous script execution.

🌐 Nation-State Threats

North Korean Hackers Turn GitHub into C2 Battlefield with Sneaky LNK Phishing

Forget the usual malware droppers. DPRK hackers are phishing South Korean orgs with LNK files that masquerade as PDFs, then pivot to GitHub for C2. It's a slick architectural shift that's hard to block.

theAIcatchup Apr 08, 2026 4 min read

Diagram of DPRK phishing LNK attack chain using GitHub for command and control against South Korean organizations

⚡ Key Takeaways

DPRK hackers chain phishing LNK files to PowerShell and GitHub C2 for stealthy access to South Korean targets. 𝕏
GitHub's trusted status makes it ideal for evasion—malware pulls commands via repo updates. 𝕏
Shift to 'dev-native' tactics predicts wider adoption by other nation-states, urging GitHub traffic monitoring. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#DPRK hackers #GitHub C2 #North Korea cyber attacks #Phishing LNK files

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SecurityAffairs

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

North Korean Hackers Turn GitHub into a Shadowy C2 Nerve Center for South Korean Targets

North Korea's Six-Month Con Job Steals $285M from Solana DEX Drift

Inside the Axios Hijack: How DPRK RATs Slipped into Dev Workflows Worldwide

Iran's Hidden Assault: 3,900 US PLCs Exposed in the Wild

Stay in the loop