← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.694
Executive Summary
North Korean threat actors Kimsuky and ScarCruft are actively targeting South Korean organizations through phishing campaigns that use legitimate cloud services, GitHub and Dropbox, as command-and-control channels, making malicious traffic difficult to distinguish from normal business activity. The campaigns rely on social engineering via Hangul Word Processor documents and Windows shortcut files rather than software vulnerabilities, meaning no patch exists to block initial access. Organizations with South Korean operations, government ties, or defense-adjacent work face elevated risk; existing signature-based and reputation-based security controls are likely insufficient against this approach.
Technical Analysis
Three overlapping attack chains attributed to Kimsuky and ScarCruft initiate via malicious LNK files delivered through spearphishing attachments (T1566.001 , T1204.002 ).
Lure documents use Hangul Word Processor (HWP) format, consistent with South Korea-targeted DPRK tradecraft.
Post-execution, the chains rely on Windows-native tooling, PowerShell (T1059.001 ), VBScript (T1059.005 ), and scheduled tasks (T1053.005 ), to minimize forensic footprint (living-off-the-land).
C2 traffic routes through GitHub repositories (T1102.002 ) and Dropbox (T1102 ), blending with legitimate platform traffic to bypass network-layer controls. Additional techniques include obfuscation (T1027 ), ingress tool transfer (T1105 ), data collection and archiving (T1560 ), masquerading (T1036 ), DLL hijacking (T1574.002 ), LOLBin abuse (T1218 ), hidden files (T1564.001 ), and virtualization/sandbox evasion (T1497.001 ). No CVEs are associated with this activity. Relevant CWEs: CWE-601 (open redirect, abuse of legitimate services for C2), CWE-693 (protection mechanism failure against LotL), CWE-494 (download of code without integrity check). No patches apply; the attack surface is behavioral, not software-vulnerability-based. Technical detail confidence is moderate; validate against primary FortiGuard and Broadcom advisories before operationalizing.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate to senior IR leadership and legal/compliance immediately if proxy logs confirm successful data exfiltration (Dropbox upload API calls with non-trivial byte counts), if compromised accounts have access to sensitive research, government-contract, or personally identifiable data subject to breach notification obligations, or if the organization lacks the internal capability to perform memory forensics on hosts with confirmed C2 beaconing.
Step 1: Containment. Block outbound API calls and raw content requests to github.com and dropbox.com from endpoints and servers that have no documented business justification. Apply this at the proxy or firewall layer, scoped to unexpected or unapproved source systems. Do not apply a blanket block without first auditing legitimate GitHub/Dropbox use to avoid operational disruption.
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST AC-4 (Information Flow Enforcement)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
On hosts without enterprise proxy visibility, deploy Sysmon with network connection logging (Event ID 3) and filter on DestinationHostname containing 'raw.githubusercontent.com' or 'api.dropboxapi.com'. Use Windows Firewall with Advanced Security via GPO or local policy to block outbound TCP 443 to specific IP ranges for these domains on non-approved endpoints. Generate the current block list with: `Resolve-DnsName raw.githubusercontent.com | Select-Object IPAddress` and `Resolve-DnsName api.dropboxapi.com | Select-Object IPAddress`, then add those IPs to a named firewall rule — noting DNS-resolved IPs may rotate and require periodic refresh.
Preserve Evidence
Before applying blocks, export proxy or firewall logs showing existing outbound connections to raw.githubusercontent.com and api.dropboxapi.com — capture source IP, user agent, URI path, HTTP method, and byte counts. Kimsuky/ScarCruft C2 via GitHub typically involves HTTP GET requests to raw content URLs containing encoded payloads or tasking instructions; Dropbox C2 uses the /2/files/download and /2/files/upload API endpoints. Preserve these logs to reconstruct staging and tasking timelines before blocking terminates the observable beacon pattern.
Step 2: Detection. Search endpoint telemetry for LNK files executed from temp directories, email client process trees, or download folders (Event ID 4688, Sysmon Event ID 1). Hunt for PowerShell or WScript spawned by explorer.exe or Outlook with encoded command lines (Sysmon Event ID 1, Event ID 4104). Query proxy logs for outbound HTTPS to raw.githubusercontent.com or api.dropboxapi.com from non-developer workstations. Flag scheduled tasks created by PowerShell or WScript (Event ID 4698). Review HWP process execution chains for child processes.
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, run the following targeted queries manually on affected hosts. For LNK execution: `Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4688} | Where-Object {$_.Message -like '*.lnk*'}`. For PowerShell with encoded commands: `Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where-Object {$_.Id -eq 4104} | Where-Object {$_.Message -like '*-enc*' -or $_.Message -like '*EncodedCommand*'}`. For scheduled task creation by PowerShell or WScript: `Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4698}`. For HWP child process chains, query Sysmon Event ID 1 filtering on ParentImage containing 'hwp.exe' or 'Hwp.exe'. Deploy the public Sigma rule 'proc_creation_win_lnk_execution_from_non_standard_location' against collected Sysmon logs using sigmac to convert to PowerShell or grep-compatible format.
Preserve Evidence
Collect the following before triage decisions: (1) Prefetch files for LNK execution under %WINDIR%\Prefetch — filenames will reference the LNK and any spawned interpreter; (2) Windows Security Event ID 4688 and Sysmon Event ID 1 logs showing process lineage — specifically hwp.exe, outlook.exe, or explorer.exe spawning powershell.exe or wscript.exe; (3) PowerShell Script Block Logging (Event ID 4104) entries in Microsoft-Windows-PowerShell/Operational containing Base64-encoded strings characteristic of Kimsuky stagers; (4) Scheduled task XML definitions from C:\Windows\System32\Tasks\ for any tasks created within the suspected compromise window; (5) Proxy or DNS logs showing queries to raw.githubusercontent.com or api.dropboxapi.com correlated by source hostname to the endpoint under investigation.
Step 3: Eradication. Remove any scheduled tasks created outside change management processes on affected systems. Terminate and delete identified malicious LNK files, PowerShell scripts, and any dropped payloads. Revoke and rotate credentials for accounts active on systems showing C2 beaconing patterns. Remove attacker-controlled GitHub repositories or Dropbox resources used as staging if identified; report abuse to the platforms directly.
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST AC-2 (Account Management)
CIS 5.3 (Disable Dormant Accounts)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
Compensating Control
Enumerate and export all scheduled tasks before removal for forensic preservation: `schtasks /query /fo CSV /v > C:\IR\schtasks_snapshot_$(Get-Date -Format yyyyMMdd).csv`. Remove confirmed malicious tasks: `schtasks /delete /tn "<task_name>" /f`. For LNK and dropped payload removal, use `Get-FileHash` on identified files before deletion to document IOC hashes for threat intel sharing. Force credential rotation for affected accounts via Active Directory: `Set-ADAccountPassword -Identity <user> -Reset -NewPassword (Read-Host -AsSecureString)` and immediately set `ChangePasswordAtLogon = $true`. Submit the attacker-controlled GitHub repository URL to GitHub's abuse reporting portal at github.com/contact/report-abuse and Dropbox at dropbox.com/abuse — include the specific repository path or shared link URL identified during investigation.
Preserve Evidence
Before eradication actions, preserve forensic copies of: (1) The scheduled task XML from C:\Windows\System32\Tasks\ for each malicious task — this will contain the command line, trigger timing, and the account context used by Kimsuky/ScarCruft to maintain persistence; (2) The full LNK file binary including the target path, working directory, and any embedded command arguments — Kimsuky LNK files often contain multi-stage PowerShell stagers hidden in the arguments field; (3) Any PowerShell script files dropped to %TEMP%, %APPDATA%, or user profile subdirectories; (4) A memory dump of any active PowerShell or WScript processes prior to termination using ProcDump: `procdump.exe -ma <pid> C:\IR\powershell_<pid>.dmp`; (5) Windows Security Event ID 4648 (Explicit Credential Use) and Event ID 4624 (Logon) logs for the compromised account to establish lateral movement scope before credential rotation.
Step 4: Recovery. Validate that scheduled tasks are clean across affected hosts using 'schtasks /query' and endpoint telemetry. Confirm no residual beaconing to GitHub or Dropbox C2 endpoints by monitoring proxy logs for 72 hours post-remediation. Re-image endpoints where persistent access cannot be ruled out. Restore from known-good backups only after confirming backup integrity and confirming the backup predates initial compromise.
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CP-9 (System Backup)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For scheduled task validation across multiple hosts without enterprise tooling, run `Invoke-Command -ComputerName (Get-Content hostlist.txt) -ScriptBlock {schtasks /query /fo CSV /v}` and diff the output against your pre-incident baseline or the forensic snapshot taken during eradication. For 72-hour beacon monitoring without a SIEM, configure Windows Firewall auditing (`auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable`) and collect Security Event ID 5156 (network connection allowed) filtered on remote addresses resolving to GitHub or Dropbox IP ranges. For backup integrity validation, compute SHA-256 hashes of backup archives before restore and compare against stored checksums: `Get-FileHash -Algorithm SHA256 <backup_path>`.
Preserve Evidence
Before declaring recovery complete, document: (1) A clean schtasks export from each remediated host timestamped post-eradication, compared against the malicious task snapshot, confirming removal; (2) 72 hours of proxy or firewall logs showing zero outbound connections from remediated endpoints to raw.githubusercontent.com or api.dropboxapi.com — this rules out secondary persistence mechanisms not identified during eradication; (3) File system integrity verification of %WINDIR%\System32\Tasks\ using `Get-ChildItem` with creation timestamps to confirm no new tasks were added post-remediation; (4) Confirmation of the backup creation date against the earliest suspected compromise date derived from the LNK execution or HWP child process timestamps identified during detection.
Step 5: Post-Incident. Audit detection coverage for LotL technique chains: PowerShell execution policy, script block logging (Event ID 4104), and process creation logging should be enabled and ingested by your SIEM. Evaluate whether your network controls distinguish sanctioned from unsanctioned cloud service usage; this campaign exploits the absence of that distinction. Review phishing simulation coverage for LNK-based lures and HWP files. Map control gaps to MITRE ATT&CK techniques T1102.002, T1059.001, T1053.005, and T1566.001 and document remediation actions in your risk register.
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST AU-2 (Event Logging)
NIST AU-3 (Content of Audit Records)
NIST SI-4 (System Monitoring)
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Verify PowerShell Script Block Logging is enabled via GPO or registry: `Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1`. Validate process creation auditing is active: `auditpol /get /subcategory:"Process Creation"` — should show Success enabled. For LNK-based phishing simulation coverage, use the GoPhish open-source framework with LNK attachment payloads to test user detection rates. Convert the MITRE ATT&CK technique mappings (T1102.002 — Web Service: Bidirectional Communication, T1059.001 — PowerShell, T1053.005 — Scheduled Task, T1566.001 — Spearphishing Attachment) to Sigma detection rules using the public SigmaHQ repository and deploy them against Sysmon and Windows Event Log sources. For HWP file handling, evaluate whether your organization requires the Hangul Word Processor and consider restricting it via AppLocker if not operationally required.
Preserve Evidence
Post-incident, compile the following for the lessons-learned record and risk register: (1) A gap analysis of which Sysmon Event IDs (1, 3, 11) and Windows Event IDs (4688, 4104, 4698) were logging and forwarding at time of compromise versus which were missing — this directly maps to the detection latency for this Kimsuky/ScarCruft campaign; (2) Proxy log evidence showing the duration of C2 beaconing to GitHub/Dropbox before detection, establishing dwell time specific to this incident; (3) A list of all endpoints that executed HWP files or LNK files during the compromise window, drawn from Prefetch and Event ID 4688 logs, to assess potential scope beyond confirmed victims; (4) Documentation of whether the attacker-controlled GitHub repository or Dropbox account was public or required authentication — this affects the fidelity of proxy-based detection going forward.
Recovery Guidance
Re-image any endpoint where scheduled task persistence or secondary payloads cannot be conclusively ruled out — Kimsuky and ScarCruft are known to deploy multiple persistence mechanisms, and partial eradication of LNK or PowerShell stagers does not guarantee the absence of additional implants. Monitor proxy and DNS logs for outbound connections to GitHub and Dropbox from all internal endpoints for a minimum of 72 hours post-remediation, extending to 7 days if the dwell time prior to detection exceeded 48 hours. Restore affected systems from backups only after confirming via endpoint telemetry (Event ID 4688 timestamps and Prefetch file creation dates) that the backup image predates the earliest observed LNK execution or HWP child process spawn event.
Key Forensic Artifacts
Windows Prefetch files (%WINDIR%\Prefetch\) for LNK file execution and any spawned PowerShell or WScript processes — Kimsuky/ScarCruft LNK lures will leave execution traces here with timestamps that establish initial access timing
Scheduled task XML definitions in C:\Windows\System32\Tasks\ — ScarCruft and Kimsuky use schtasks for persistence; the XML will contain the encoded PowerShell command line used to beacon to GitHub or Dropbox C2
PowerShell Script Block Logging events (Event ID 4104) in Microsoft-Windows-PowerShell/Operational — will contain decoded stager content including the raw.githubusercontent.com or api.dropboxapi.com URL and any downloaded payload code
Proxy or firewall logs showing outbound HTTPS connections to raw.githubusercontent.com and api.dropboxapi.com — HTTP method, URI path, user-agent string, and response byte size distinguish C2 tasking (GET of raw content) from legitimate developer traffic
HWP (Hangul Word Processor) process execution chain in Sysmon Event ID 1 logs — malicious HWP documents used in this campaign spawn child processes (powershell.exe, wscript.exe, cmd.exe) that are forensically captured as ParentImage=hwp.exe, which is not a normal parent process relationship in a clean environment
Detection Guidance
Primary behavioral indicators: LNK files executed from user-writable directories (Downloads, Temp, AppData) spawning PowerShell or WScript (Sysmon Event ID 1, parent-child process chain).
PowerShell with Base64-encoded or heavily obfuscated command lines (Event ID 4104, Script Block Logging required).
Scheduled task creation via PowerShell or WScript outside business hours or change windows (Event ID 4698/4702).
Outbound HTTPS connections from non-developer endpoints to raw.githubusercontent.com, api.github.com, or api.dropboxapi.com, particularly with regular interval beaconing patterns consistent with C2 polling. HWP (Hangul Word Processor) files spawning child processes other than the HWP application itself. DLL side-loading indicators: unsigned DLLs loaded by legitimate Windows binaries from user-writable paths (Sysmon Event ID 7, ImageLoaded not signed by Microsoft). Sandbox/VM evasion activity: system enumeration commands (systeminfo, wmic) executed immediately after LNK execution before any payload action. Note: no confirmed IOC hashes or specific C2 repository URLs are available in the current source set. Validate against FortiGuard Labs and Broadcom Symantec advisories for any published IOC lists before deploying signature-based detections.
Indicators of Compromise (3)
Type Value Context Confidence
URL
raw.githubusercontent.com (attacker-controlled repositories — specific paths not confirmed in available sources)
GitHub abused as C2 channel for command retrieval and data exfiltration (T1102.002). Specific repository URLs not available in current source set.
low
URL
api.dropboxapi.com (attacker-controlled storage — specific paths not confirmed in available sources)
Dropbox abused as C2 and staging channel (T1102). Specific endpoint paths not available in current source set.
low
DOMAIN
No confirmed C2 domains available in current source set
Source quality score 0.48. Validate against FortiGuard Labs (fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2) and Broadcom advisories for published IOCs.
low
Compliance Framework Mappings
T1102.002
T1041
T1560
T1036
T1105
T1027
+11
CA-7
SC-7
SI-4
SI-3
CM-7
SI-7
+3
MITRE ATT&CK Mapping
T1102.002
Bidirectional Communication
command-and-control
T1041
Exfiltration Over C2 Channel
exfiltration
T1560
Archive Collected Data
collection
T1036
Masquerading
defense-evasion
T1105
Ingress Tool Transfer
command-and-control
T1027
Obfuscated Files or Information
defense-evasion
T1102
Web Service
command-and-control
T1218
System Binary Proxy Execution
defense-evasion
T1566.001
Spearphishing Attachment
initial-access
T1564.001
Hidden Files and Directories
defense-evasion
Guidance Disclaimer
