FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows .lnk files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and vmtoolsd. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file.
The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as Kimsuky, APT37, and Lazarus.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On April 3, 2026, FortiGuard Labs disclosed a high-severity espionage campaign attributed to North Korean state-sponsored actors, citing tradecraft and targeting patterns consistent with groups such as Kimsuky, APT37, and Lazarus.
The campaign shifted to more advanced LNK files that embed decoding logic and payload data, launch PowerShell and VBScript, perform anti-analysis checks, establish scheduled-task persistence, and use private GitHub repositories for command-and-control and data exfiltration.
Researchers reported that earlier versions of the operation used less-obfuscated LNK samples associated with XenoRAT before the campaign evolved into more sophisticated surveillance-focused malware.
FortiGuard Labs said the espionage campaign has been active since at least 2024, using phishing lures with malicious Windows LNK files disguised as PDF documents to target organizations in South Korea.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
infosecwriteups.com
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcebsky.app
Open sourcescworld.com
Open sourcehackread.com
Open sourcecybersecuritynews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.