GitHub Used as Covert Channel in Multi-Stage Malware Campaign

The use of GitHub as a command‑and‑control (C2) hub reflects a broader shift toward living‑off‑the‑land tactics, where attackers co‑opt legitimate services to hide malicious traffic. Developer platforms offer high availability, global CDN distribution, and encrypted HTTPS connections, making them attractive for stealthy data exfiltration. In this campaign, the initial infection vector is a crafted LNK shortcut that appears innocuous, yet it silently invokes PowerShell scripts fetched from public repositories. By embedding decoding routines within the shortcut itself, the attackers eliminate the need for external droppers, reducing the forensic footprint and complicating attribution.

Technical analysis reveals a layered infection chain: after the LNK file drops a decoy PDF, a PowerShell payload performs environment checks, decodes additional modules, and creates scheduled VBScript tasks that run every half hour. These tasks maintain persistence and periodically upload system information—such as OS version, running processes, and network configuration—to GitHub using hard‑coded access tokens. The choice of scheduled tasks, rather than more conspicuous services, aligns with the goal of blending into normal Windows activity. Moreover, the removal of metadata in newer variants hampers traditional threat‑intel linking, forcing defenders to rely on behavior‑based detection.

For security teams, the campaign underscores the necessity of monitoring outbound traffic to cloud‑based code repositories, even when destinations appear benign. Implementing DNS filtering, TLS inspection, and anomalous repository access alerts can surface suspicious token usage. Additionally, organizations should enforce strict application whitelisting for PowerShell and limit the execution of LNK files from untrusted sources. As attackers continue to weaponize trusted infrastructure, a proactive, context‑aware approach becomes essential to mitigate the risk of covert C2 channels.