TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Infosecurity Magazine

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

2026-04-02 · Read original ↗

ATT&CK techniques detected

5 predictions
T1204.002Malicious File
94%
“github used as covert channel in multi - stage malware campaign a series of malicious lnk files targeting users in south korea has been detected using a multi - stage attack chain that uses github as command and control ( c2 ) infrastructure. the campaign relies on scripting, enc…”
T1059.001PowerShell
92%
“at sectigo. multi - stage infection process the attack begins with lnk files containing hidden scripts that retrieve powershell commands from github. as mentioned above, later variants introduced decoding functions and removed identifying metadata, making attribution more difficu…”
T1053.005Scheduled Task
57%
“at sectigo. multi - stage infection process the attack begins with lnk files containing hidden scripts that retrieve powershell commands from github. as mentioned above, later variants introduced decoding functions and removed identifying metadata, making attribution more difficu…”
T1204.001Malicious Link
32%
“, maintaining communication with the attacker and enabling further activity on compromised systems. a keep - alive script uploads network configuration details, allowing the attacker to monitor infected machines and maintain access over time. " this attack demonstrates how malici…”
T1204.002Malicious File
30%
“at sectigo. multi - stage infection process the attack begins with lnk files containing hidden scripts that retrieve powershell commands from github. as mentioned above, later variants introduced decoding functions and removed identifying metadata, making attribution more difficu…”

Summary

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration