What happens when a platform used for sharing code is repurposed as a conduit for covert operations? That question now sits at the center of a new cybersecurity alert: researchers have documented a campaign that uses GitHub as command-and-control infrastructure in multi-stage attacks aimed at organizations in South Korea.
The discovery
Researchers at Fortinet FortiGuard Labs reported that threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub for command-and-control (C2) purposes in attacks targeting organizations in South Korea. FortiGuard Labs characterizes the campaign as a multi-stage attack that begins with obfuscated Windows shortcut files.
How the attack chain works, per Fortinet FortiGuard Labs
According to Fortinet FortiGuard Labs, the attack chain "involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF." That description frames the initial lure and delivery mechanism: an LNK file that has been obfuscated and is used to trigger a subsequent action that results in a decoy PDF being dropped on the target system. Fortinet's analysis identifies GitHub as the platform abused to serve command-and-control functions later in the chain.
Why this matters — perspectives and risks
For technologists: The use of a well-known code-hosting platform as C2 highlights a trend in which legitimate services can be repurposed to relay instructions or payloads. That can complicate detection and response because traffic to such services may blend with normal operations.
For policymakers and defenders: The attribution descriptor — "likely associated with the Democratic People's Republic of Korea (DPRK)" — signals a cross-border security concern directed at organizations in South Korea and raises questions about how public and private sectors should coordinate when widely used platforms are implicated.
For users and organizations: The reported use of obfuscated LNK files to drop a decoy PDF is a reminder that seemingly innocuous files and familiar workflows can be the entry point for more complex, multi-stage intrusions.
For adversaries: The campaign illustrates the operational value of leveraging high-availability services to mask C2 activity and the potential for simple file types to initiate broader intrusion chains.
Looking ahead — detection, disclosure, and the open question
Fortinet FortiGuard Labs’ findings underscore a persistent dilemma in cybersecurity: the same global services that power legitimate collaboration can be turned into tools for clandestine operations. The report documents a specific attack sequence starting with obfuscated LNK files and culminating in the use of GitHub as C2, but it also raises broader questions about how defenders detect and disrupt abuse of common infrastructure without impeding legitimate use.
As organizations reassess how they monitor file types, platform traffic, and third-party hosting, one question endures: how can defenders keep pace with adversaries who increasingly hide their command-and-control channels in plain sight?
https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html




