{
  "name": "Malware MoonPeak Executed via LNK Files",
  "slug": "malware-moonpeak-executed-via-lnk-files",
  "description": "In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.",
  "published": "2026-01-26T13:28:48+00:00",
  "created_at": "2026-01-26T13:28:48+00:00",
  "modified_at": "2026-01-26T17:03:06+00:00",
  "created_at_opencti": "2026-01-26T13:28:48+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-26",
    "confuserex",
    "github",
    "korea",
    "lnk files",
    "lots",
    "moonpeak",
    "persistence",
    "powershell",
    "xenorat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "27.102.137.88"
      },
      {
        "id": "",
        "name": "8de36cb635eb87c1aa0e8219f1d8bf2bb44cad75b58ef421de77dd1aae669bf4"
      },
      {
        "id": "",
        "name": "aaac6eadac6c325bfc69b561d75f7cfd979ac289de1cc4430c5cc9a9a655b279"
      },
      {
        "id": "",
        "name": "1553bfac012b20a39822c5f2ef3a7bd97f52bb94ae631ac1178003b7d42e7b7f"
      }
    ],
    "malware": [
      {
        "id": "9c08757d-bd59-45d1-8174-ac5b1ab454f2",
        "name": "XenoRAT",
        "slug": "xenorat"
      },
      {
        "id": "legacy:malware:02965b16e1243552",
        "name": "MoonPeak",
        "slug": "moonpeak"
      }
    ],
    "intrusion_sets": [
      {
        "id": "9cf30a52-cdd0-4bda-b296-90d56b9a87eb",
        "name": "North Korea (DPRK)",
        "slug": "north-korea-dprk"
      }
    ],
    "attack_patterns": [
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://sect.iij.ad.jp/blog/2026/01/dprk-moonpeak-executed-via-malicious-lnk-file",
    "https://otx.alienvault.com/pulse/69777a203745e70e7425106f"
  ]
}