← Back to Archive
hackmedium4/1/2026

GitHub C2 in Multi-Stage Attacks Targeting South Korea

South Korean organizations

North Korean-linked Kimsuky group used GitHub as command-and-control in multi-stage phishing attacks against South Korean organizations. Campaigns involved decoy PDFs, PowerShell scripts for profiling and data exfiltration to GitHub repos. This reflects living-off-the-land techniques for persistence.

Fortinet FortiGuard Labs reported Kimsuky (APT43) phishing with links dropping decoy PDFs that execute PowerShell to evade detection, profile systems, and exfiltrate data via GitHub. The shift to trusted platforms like GitHub reduces detection risks. Attacks target South Korean entities amid ongoing espionage.

Tags

#North Korea#Kimsuky#phishing#C2

Source

View Original Report

Last updated: April 12, 2026

Previous

North Korean hackers blamed for hijacking popular Axios open source project

No next incident

GitHub C2 in Multi-Stage Attacks Targeting South Korea - Korea Cyber Monitor