GitHub as C2 Infrastructure? DPRK's Latest TTP in South Korea

Just caught the latest report from FortiGuard Labs regarding DPRK-linked activity targeting organizations in South Korea. It looks like they are increasingly leveraging GitHub repositories as command-and-control (C2) infrastructure. This is a fascinating evolution of "Living off the Land" tactics, utilizing a trusted domain that is rarely blocked by enterprise firewalls to bypass network segmentation.

The attack chain is pretty clever but standard for these ops:

• Initial Access: Obfuscated Windows Shortcut (LNK) files.
• Execution: The LNK files execute a PowerShell script to fetch the next stage.
• Decoy: A malicious PDF is dropped to distract the user while the C2 traffic commences over GitHub.

Since there isn't a specific CVE to patch here—this is purely an abuse of trust—detection relies heavily on behavioral analysis. Blocking github.com isn't an option for most of us, so we need to look for the anomalies in the traffic patterns or the LNK execution itself.

Here is a quick PowerShell snippet you can use in your hunting scripts to scan for recently created LNK files that might be suspicious:

Get-ChildItem -Path "C:\Users\" -Filter "*.lnk" -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
ForEach-Object {
    $sh = New-Object -ComObject WScript.Shell
    $target = $sh.CreateShortcut($_.FullName).TargetPath
    if ($target -match "powershell.exe|cmd.exe|mshta.exe") {
        Write-Host "Suspicious LNK found: $($_.FullName) | Target: $target"
    }
}

Are you guys seeing an uptick in trusted-platform abuse in your environments? How are you handling the balance between developer productivity (needing GitHub access) and security risks like this?