Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Stolen data may be leveraged for follow-on attacks
Severity Level: High

FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.

In recent months, the threat actor has altered their tactics. They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files. Based on the decoy PDF titles we collected, the attacker seems to be targeting various companies in Korea to expand their surveillance operations. Below are the decoy PDF files identified in these campaigns. In this article, we will detail each stage.

1^st Stage – LNK files

The LNK files used in these campaigns contain various scripts. In earlier versions, the threat actor used simple character concatenation to hide the GitHub C2 address and the access token. Despite this obfuscation, it was easy to see that the script was designed to run a PowerShell command fetched from GitHub.

2^nd Stage – PowerShell Script

The PowerShell script decoded from the LNK file performs several essential tasks to keep the attack hidden while maintaining access to the victim's system.

First, the script performs an environment check by scanning active processes related to virtual machines, debuggers, or forensic tools. It searches for a broad range of analysis software, including “vmxnet,” “vmusrvc,” “vmsrvc,” “vmtoolsd,” “vmwaretray,” “vboxservice,” “vboxtray,” “idaq,” “idaq64,” “autoruns,” “dumpcap,” “de4dot,” “hookexplorer,” “ilspy,” “lordpe,” “dnspy,” “petools,” “autorunsc,” “resourcehacker,” “filemon,” “regmon,” “procexp,” “procexp64,” “tcpview,” “tcpview64,” “Procmon,” “Procmon64,” “vmmap,” “vmmap64,” “portmon,” “processlasso,” “Wireshark,” “Fiddler Everywhere,” “Fiddler,” “ida,” “ida64,” “ImmunityDebugger,” “WinDump,” “x64dbg,” “x32dbg,” “OllyDbg,” and “ProcessHacker.” If any of these processes are detected, the script immediately terminates to prevent analysis by security researchers.

To ensure the malware persists after a system reboot, the script establishes persistence using a Scheduled Task. It creates a VBScript file that executes the PowerShell payload in a hidden window to minimize visibility. This task, disguised with a name like "Technical Paper for Creata Chain Task...", is set to run the VBScript every 30 minutes.

30) $action = New-ScheduledTaskAction -Execute 'wscript.exe' -Argument ('"' + $vbsFilePath + '"'); $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes; $settings = New-ScheduledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName "Technical Paper for Creata Chain Task S-1-12-12-3-1231241245BVSKLERh-SD234GHSI56" -Action $action -Trigger $trigger -Settings $settings

In the final step of this stage, the script collects detailed system information, including OS version and build number, last boot time, and a list of currently running processes. This data is then stored in a log file named with the format: <timestamp>-<IP_address>-BEGIN.log. The script proceeds to exfiltrate this log to a specific GitHub URL: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/kcca/technik, using a hardcoded GitHub access token: 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.

Our investigation into this GitHub account, motoralis, reveals consistent activity dating back to 2025, which matches our threat-hunting results on earlier LNK file variants. Other activities involve multiple GitHub accounts in similar attacks, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip.

A broader analysis of the attacker's infrastructure reveals a strategic use of both dormant and active accounts. While some accounts, like entire73, remain largely inactive for months, others, like brandonleeodd93-blip, were activated just weeks ago to provide immediate redundancy. The motoralis account functions as the primary operational hub, showing a surge in private repository contributions that closely align with the recent spike in LNK-based phishing lures. By conducting all activity within private repositories, the threat actor effectively conceals their malicious payloads and exfiltrated logs from public view while leveraging the high reputation of the GitHub domain to stay under the radar of corporate security filters.

3^rd Stage – PowerShell Script

The final phase of the PowerShell script is fairly simple. After the previous phase handled anti-analysis measures, established persistence, and gathered initial victim data, this phase focuses on maintaining a stable connection to the Command and Control (C2) infrastructure.

The main purpose of this script is to continuously fetch additional modules or instructions from the attacker’s GitHub repository: hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim. By using the scheduled task established earlier, the malware maintains a persistent connection, enabling the attacker to monitor the victim or execute more commands and files as needed.

Conclusion

This campaign shows a sophisticated grasp of social engineering, employing multiple phishing themes to boost the attack's effectiveness. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate. 

A key part of this campaign involves abusing legitimate public infrastructure. The attacker uses the GitHub API as a Command and Control (C2) channel, effectively hiding malicious traffic within normal encrypted connections. Because GitHub is a trusted open-source platform often whitelisted in corporate environments, ongoing communication and data exfiltration usually go unnoticed by standard security measures. Detecting these attacks is difficult since the actor exploits Windows' built-in capabilities. This combination of legitimate tools and trusted web services creates a highly effective infection chain. To stay protected, users should stay alert against untrusted documents and monitor for unusual PowerShell or VBScript activity in their environments.

Fortinet Protection

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

LNK/Agent.ALN!tr

The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers using these products with current signatures are protected against the malware components discussed in this report.

FortiMail detects the initial phishing emails as virus detected. Additionally, real-time anti-phishing protection provided by FortiSandbox, which is integrated across Fortinet’s FortiMail, web filtering, and antivirus solutions, enables advanced detection of both known and unknown phishing attempts. The FortiPhish phishing simulation service further enhances user resilience by actively training and testing end users against real-world phishing techniques, including impersonation, Business Email Compromise (BEC), and ransomware delivery.

The FortiGuard CDR (Content Disarm and Reconstruction) service, available on both FortiGate and FortiMail, can neutralize malicious content embedded in documents by removing active code while preserving document usability.

The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.

Organizations seeking to strengthen foundational security awareness may also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity.

If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.

IOCs

URLs

hxxps://raw[.]githubusercontent[.]com/motoralis/singled/main/kcca/paper[.]jim

hxxps://api[.]github[.]com/repos/motoralis

SHA256

af0309aa38d067373c54b2a7774a32f68ab72cb2dbf5aed74ac784b079830184 TRAMS WINBOT AI Strategic Proposal.pdf.lnk

9c3f2bd300ad2ef8584cc48adc47aab61bf85fc653d923e106c73fc6ec3ea1dc 전략적 파트너십 상세 제안서.pdf.lnk

f20fde3a9381c22034f7ecd4fef2396a85c05bfd54f7db3ad6bcd00c9e09d421 상세 제안서 - 미래에셋 X AYC Fund.pdf.lnk

484a16d779d67c7339125ceac10b9abf1aa47f561f40058789bfe2acda548282 CONFIDENTIAL IOTRUST OFFER.pdf.lnk

c0866bb72c7a12a0288f434e16ba14eeaa35d3c4cff4a86046c553c15679c0b5 (CONFIDENTIAL)  AIN x Mine Korea 2026.pdf.lnk