VulnHub

Real-time Cybersecurity News

Phishing LNK files and GitHub C2 power new DPRK cyber attacks

Security Affairs
Actively Exploited
Phishing

Overview

Hackers linked to North Korea are targeting South Korean organizations through a new cyberattack method that uses GitHub as a command and control (C2) server. The attacks begin with phishing emails that contain obfuscated LNK files. When opened, these files drop a decoy PDF and a PowerShell script onto the victim's system. This tactic allows the attackers to bypass traditional security measures by using a widely trusted platform like GitHub. The implications are significant as this method not only demonstrates the evolving strategies of DPRK hackers but also poses serious risks to organizations in South Korea, which must now be wary of both phishing attempts and the potential for data breaches.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: South Korean organizations, GitHub
  • Action Required: Organizations should implement email filtering to detect and block phishing attempts, educate employees about the dangers of opening unknown attachments, and monitor for unusual activity on their networks.
  • Timeline: Newly disclosed

Original Article Summary

DPRK-linked hackers use GitHub C2s, starting attacks via phishing LNK files that drop a PDF and PowerShell script in South Korea. North Korea-linked threat actors target South Korean organizations using GitHub as C2 servers. The attack chain starts with phishing emails carrying obfuscated LNK files that drop a decoy PDF and a PowerShell script to […]

Impact

South Korean organizations, GitHub

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Organizations should implement email filtering to detect and block phishing attempts, educate employees about the dangers of opening unknown attachments, and monitor for unusual activity on their networks.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Phishing.

Read Original Article

Related Coverage

Cyber incident disrupts Massachusetts' emergency communications center

SCM feed for Latest

The Patriot Regional Emergency Communications Center in Massachusetts reported a cyberattack that affected its emergency notification system, CodeRED. This incident disrupted phone lines and systems in several towns across the northern part of the state, leading to concerns about public safety during the attack. Although specific details about the nature of the cyberattack have not been disclosed, the impact on emergency communications raises serious alarms about how such incidents can hinder timely responses in critical situations. The threat to emergency services underscores the vulnerabilities in infrastructure that communities rely on during crises and the need for robust cybersecurity measures to protect these essential systems.

Apr 6, 2026

Total takeover of Nvidia GPU-based devices possible with novel Rowhammer attacks

SCM feed for Latest

Recent research has identified serious vulnerabilities in Nvidia GPU-based devices, which are common in cloud computing environments. Three new Rowhammer attacks have been discovered that could allow attackers to completely take control of these systems. This is particularly concerning for organizations that rely on high-performance GPUs for various applications, as it raises the risk of unauthorized access and potential data breaches. The ability to exploit these vulnerabilities could have significant implications for cloud security, making it essential for companies to assess their defenses against such attacks. As these GPUs are widely used, the impact of this discovery could be extensive across many sectors relying on cloud services.

Apr 6, 2026

Evolving Russian cyberattacks against Ukraine detailed

SCM feed for Latest

Over the past year, Russian cyberattacks targeting Ukraine have shown significant evolution, according to findings from Ukraine's Computer Emergency Response Team. These attacks have likely intensified as the conflict between the two nations continues. Ukrainian authorities have observed a range of tactics employed by Russian threat actors, indicating an adaptive approach to circumvent defenses. This ongoing campaign not only threatens Ukraine's critical infrastructure but also raises concerns for cybersecurity in other regions as similar tactics may be replicated elsewhere. The situation underscores the urgent need for vigilance and enhanced security measures among organizations in affected areas.

Apr 6, 2026

Fortinet Issues Emergency Patch for FortiClient Zero-Day

darkreading

Fortinet has released an emergency patch for a serious authentication bypass vulnerability, identified as CVE-2026-35616. This flaw allows attackers to bypass authentication mechanisms, potentially granting unauthorized access to systems using FortiClient. The vulnerability is part of a troubling trend, as it has been exploited in the wild, meaning that it poses an immediate risk to users. Organizations that rely on Fortinet's products should prioritize applying this patch to protect their networks from potential breaches. This incident underscores the importance of timely updates and vigilance in cybersecurity practices.

Apr 6, 2026

pcTattleTale stalkerware maker sentence includes fine, supervised release

CyberScoop

Bryan Fleming, the creator of the stalkerware application pcTattleTale, has been sentenced without prison time after pleading guilty to charges related to his software. Instead, he will face a fine and a period of supervised release. This case is notable as it represents one of the few successful prosecutions related to stalkerware in the United States, which is software designed to secretly monitor individuals without their consent. The implications of this case extend beyond Fleming, as it raises awareness about the legal ramifications for those who develop and distribute such invasive technologies. Users should be aware of the potential risks associated with stalkerware and the importance of privacy in the digital age.

Apr 6, 2026

Missile Alert Phishing Exploits Iran-US-Israel Conflict for Microsoft Logins

Hackread – Cybersecurity News, Data Breaches, AI and More

A new phishing scam is exploiting the ongoing conflict between Iran, the US, and Israel by sending out fake missile alerts to trick users into revealing their Microsoft login credentials. Attackers are using QR codes and counterfeit government emails to lure victims. This tactic is particularly concerning as it preys on the heightened anxiety surrounding geopolitical tensions, making users more susceptible to clicking on malicious links. The scam underscores the importance of vigilance regarding unsolicited communications, especially during times of crisis. Users are advised to verify the authenticity of any alerts before taking action, particularly those requesting sensitive information.

Apr 6, 2026