216.73.217.22

DPRK-Related Campaigns with LNK and GitHub C2

· Published 03/04/2026 16:30 · Modified 03/04/2026 17:03

Export JSON

Essential information

Published
03/04/2026 16:30
Modified
03/04/2026 17:03
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Tags
2026-04-03
Related entities
5 indicators, 5 observables

Description

FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Indicators (5)

Observables (5)

  • af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184
  • f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421
  • c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5
  • 484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282
  • 9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc

External references