Security researchers have uncovered a malware campaign targeting South Korea that turns GitHub — the world’s most popular code hosting platform — into a fully functional command-and-control server. It’s a clever abuse of trusted infrastructure that makes the attacks incredibly hard to spot.
The campaign, detailed in a Fortinet advisory, uses malicious LNK (Windows shortcut) files as the entry point. When a victim opens what looks like a normal file, a decoy PDF pops up to keep them happy while PowerShell scripts silently execute in the background. Classic misdirection.
The Attack Chain
It’s a three-stage process, and each stage is designed to stay hidden. The LNK file contains hidden scripts that reach out to GitHub repositories to fetch PowerShell commands. That’s right — the malware downloads its instructions from github.com, blending in with millions of legitimate requests happening every second.
Once the PowerShell script is running, it gets to work. It checks if it’s inside a virtual machine or security analysis tool — if it is, it shuts down to avoid detection. It decodes additional payloads, creates scheduled tasks that run every 30 minutes, and starts collecting system information: OS version, boot times, running processes, network configuration.
All of that stolen data gets exfiltrated back to GitHub using hardcoded access tokens. The attacker doesn’t need their own infrastructure — GitHub hosts the stolen data and the commands, all over HTTPS, all looking like normal developer activity.
Why This Is Hard to Stop
The campaign is a textbook example of “living-off-the-land” — using legitimate tools and services that are already trusted by the organization. The malware uses Windows built-in utilities (PowerShell, VBScript, scheduled tasks) and GitHub’s infrastructure. There’s no custom malware binary to detect, no suspicious domain to block.
“The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository and pulls scripts over the internet should put network defenders on alert that even productivity platforms can be attack vectors,” said Jamie Boote, senior manager at Black Duck.
Earlier versions of this attack dating back to 2024 were easier to track because they contained more metadata and simpler obfuscation. The latest variants have stripped out identifying information and embedded decoding functions directly in the LNK file arguments. The operators are learning and adapting.
What Defenders Should Know
Blocking GitHub isn’t realistic for most organizations — developers depend on it. But there are steps you can take. Monitor for unusual PowerShell execution patterns, especially scripts that make outbound HTTPS requests to GitHub. Look for LNK files with unusually long command-line arguments — that’s where the encoded payloads hide.
Network monitoring should flag machines making regular, scheduled connections to GitHub repositories that aren’t part of your development workflow. And if you see VBScript being used to launch hidden PowerShell commands every 30 minutes, that’s a red flag worth investigating.
The Bigger Picture
This campaign is part of a broader trend: attackers abusing legitimate cloud services for C2 infrastructure. GitHub, Google Drive, Dropbox, Discord — they’ve all been used this way. The lesson isn’t to stop using these services. It’s that your security tools need to look at how these services are being used, not just whether they’re being used.
Expect more campaigns like this. The attackers have figured out that the best place to hide is in plain sight, inside the tools you trust every day.
