South Korea’s S2W Threat Intelligence Center, TALON, has uncovered a sophisticated campaign by North Korea–backed APT group Kimsuky that abuses GitHub repositories to host and update PowerShell-based malware.
Leveraging weaponized LNK files disguised as electronic tax invoices, the attackers establish persistent backdoors and exfiltrate sensitive system metadata to privately controlled GitHub repositories.
Campaign Overview
The intrusion begins with a ZIP archive named NTS_Attach.zip, containing a malicious shortcut file masquerading as 전자세금계산서.pdf.lnk.
When executed, this LNK file launches a hidden PowerShell command that downloads and executes main.ps1 from a private GitHub repository at hxxps://github[.]com/God0808RAMA/group_0721/.
To access the repository, the script embeds a hardcoded GitHub Private Token, enabling unauthorized retrieval of decoy documents and additional payloads.
Upon execution, main.PS1 performs multiple tasks. First, it downloads a decoy invoice document, which is then displayed to users to disguise malicious activity. Next, the script retrieves real.txt, a template PowerShell file, from the attacker’s repository.
It dynamically replaces the placeholder $upFolder with a timestamped directory name (e.g., ntxBill_0910_1435) and re-uploads the modified script back to the same repository under the filename real.txt_0910_1435.txt. This mechanism allows Kimsuky to manage customized scripts per infection instance.
To achieve persistence, main.ps1 writes a PowerShell code block to MicrosoftEdgeUpdate.ps1 under the %AppData% directory. This code block, when executed, downloads the newly uploaded real.txt_0910_1435.txt as temporary.ps1 and runs it automatically.
The script then creates a scheduled task named BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}, configured to trigger five minutes after initial infection and to repeat every thirty minutes indefinitely.
Persistence and Exfiltration Mechanisms
Immediately after delivery, the first payload downloaded as first.txt and saved as temporary.ps1—executes an info-stealer module.
It gathers critical system metadata, including the primary IP address, last boot time, OS version and build, hardware manufacturer details, memory size, and a list of running processes. This information is logged and uploaded to the attacker’s repository within the timestamped folder ntxBill_0910_1435.
Subsequently, each scheduled execution of the temporary.ps1 now updated with timings and content from real.txt_0910_1435.txt—acts as a time logger. It records the last boot time and uploads a new log entry to the same directory, ensuring continuous monitoring of compromised hosts.
Analysis of GitHub repositories linked to this campaign revealed nine private repositories active as of August 20, 2025, including group_0717, group_0803, and hometax. Commit histories discovered the attacker’s registration email: sahiwalsuzuki4[@]gmail.com.
Logs exfiltrated to these repositories contain decoy business documents, payment reminders, and test logs indicating the use of RAT tools and clipboard monitoring processes such as xeno_rat_server and rdpclip.
Recommended Detection and Mitigation
Security teams should monitor GitHub API traffic, particularly PUT /repos/*/contents/** requests, to detect illicit uploads.
Additionally, alerts for the creation of scheduled tasks matching the BitLocker MDM policy naming pattern can help identify infected systems. Implementing stricter validation of GitHub tokens in scripts and restricting outbound PowerShell downloads will further disrupt this evolving Kimsuky campaign.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
