← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
DPRK-Related Campaigns with LNK and GitHub C2
WHITE AlienVault 2026-04-03 Modified: 2026-04-03
5
IOCs
LOW VOLUME
FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
Indicators of Compromise (5 / 5 total)
All FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282 2026-04-03
FileHash-SHA256 9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc 2026-04-03
FileHash-SHA256 af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184 2026-04-03
FileHash-SHA256 c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5 2026-04-03
FileHash-SHA256 f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421 2026-04-03
References (1)
↗ https://www.fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2