DPRK-linked threat actors are preferring stealth over sophistication in targeting South Korean organizations, as researchers report the use of weaponized Windows shortcut (.LNK) files and GitHub-based command-and-control (C2) channels in a new campaign. According to new Fortinet findings, a series of attacks that began in 2024 were found using a multi-stage scripting process and GitHub C2 to evade detection, with obfuscation improving with each iteration of the campaign. “In recent months, the threat actor has altered their tactics,” Fortinet researchers said in a blog post. “They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files.” The o...