VERY IMPORTANT

In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.