Malware And CampaignsCampaign

DPRK phishing using LNK files and GitHub as command and control

April 2, 2026Threat Intelligence, Kimberly, The Hacker News

The Hacker News and others report DPRK-linked attackers using phishing-delivered LNK files to run hidden PowerShell, persist, exfiltrate data to attacker GitHub repos, and fetch additional payloads, showing GitHub abuse as both infrastructure and camouflage.

Open in PulseSee the full authority discussion →

QUOTES

DPRK-linked campaign uses malicious LNK files, encoded PowerShell, and GitHub for C2.

Persistence via Scheduled Tasks and strong evasion tactics observed

Fortinet Threat Research Blog | DPRK-Related Campaigns with LNK and GitHub C2

DPRK-linked attackers used GitHub as C2 in phishing-led attacks on South Korean orgs.

LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads.

North Korean hackers abuse LNKs and GitHub repos in ongoing campaign

LNK files and GitHub C2 power new DPRK cyber Attacks

Phishing LNK files and GitHub C2 power new DPRK cyber Attacks

VOICES

Threat Intelligence

Kimberly

The Hacker News

CSOonline

Nicolas Krassas

The Cyber Security Hub™

Pierluigi Paganini - Security Affairs

RELATED TERMS

phishinggithub c2powershellgithubthreat actorsocial engineering

OTHER FINDINGS IN MALWARE AND CAMPAIGNS

Axios npm package compromise, WAVESHAPER.V2 cross platform RAT Handala Hack Telegram threat claiming imminent Lockheed Martin data leak Telnyx PyPI compromise (TeamPCP) shipping malware in telnyx 4.87.1/4.87.2

AMYGDALA PULSE

See what authorities are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new authority voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security