North Korea Uses GitHub for Cyber Espionage Against South Korean Companies

Post Views: 5

Sophisticated North Korean Espionage Campaign Targets South Korean Businesses

Researchers at FortiGuard Labs have uncovered a high-severity spying campaign attributed to a group of North Korean hackers targeting South Korean companies.

Campaign Details

The campaign, initiated in 2024, involves exploiting Windows operating systems to infiltrate corporate networks.
The attackers employ multiple phishing themes to target a broader audience within an organization.
Instead of relying on single, obvious malware, they choose to exploit native Windows tools like PowerShell, VBScript, and WScript.
The attack typically starts with a seemingly innocuous shortcut file (LNK file) that appears as a harmless office document.
A decoy PDF is presented upon opening the file, distracting the victim while a silent script dismantles the computer’s security measures in the background.
The script checks for the presence of security tools and virtual environments, shutting down immediately if it detects any.

Maintaining Access

The attackers utilize a Scheduled Task disguised as a technical paper, waking the malware every 30 minutes.
Stolen information is stored in private GitHub repositories, taking advantage of the platform’s widespread trust to move undetected through corporate security systems.

According to researchers, “The recent updates to the malware have focused on deep surveillance, stealing OS versions, build numbers, and active process lists, sending a keep-alive log back to the hackers.”

Experts warn that this campaign highlights the increasing trend of sophisticated cyber espionage, where attackers rely on native tools and services to evade detection. The use of GitHub and other trusted platforms as attack vectors emphasizes the need for network defenders to remain vigilant and monitor all incoming traffic, regardless of its source.