FortiGuard Labs observed DPRK-related LNK phishing campaigns targeting users in South Korea and other Korean companies through multi-stage PowerShell and VBScript execution on Windows. Earlier variants exposed metadata and GitHub command-and-control details tied to XenoRAT activity, while newer LNK files embed decoding functions and encoded payloads directly in arguments to reduce obvious indicators. The infection chain drops a matching decoy PDF, checks for virtual machine, debugger, and forensic tools, writes payloads into randomly named Temp folders, and creates a hidden scheduled task that re-runs VBScript every 30 minutes. The scripts collect operating system, process, boot-time, IP, and network information, upload logs through the GitHub API, and fetch additional instructions from GitHub repositories controlled by accounts including motoralis. The campaign matters because it combines native Windows tools, phishing themes, GitHub private repositories, and trusted GitHub traffic to maintain persistence and exfiltrate victim data with low visibility.