GitHub used as covert channel in multi-stage malware campaign
A series of malicious LNK files targeting users in South Korea has been detected using a multi-stage attack chain that uses GitHub as command and control (C2) infrastructure.
The campaign relies on scripting, encoded payloads and legitimate Windows tools to maintain persistence while avoiding detection. Earlier versions of the attack date back to 2024 but contained more metadata and simpler obfuscation, allowing researchers to track links to earlier malware campaigns.
According to a new advisory published by Fortinet on April 2, recent versions show clear changes in tactics.
Read more at Infosecurity Magazine