.webp)
🎯Basically, hackers created fake GitHub pages to trick people into downloading harmful software.
What Happened
A large-scale malware distribution campaign has been uncovered, involving 109 fake GitHub repositories. These repositories were designed to trick users into downloading two dangerous malware tools: SmartLoader and StealC. The threat actors cloned legitimate open-source projects, making it challenging for users to distinguish between real and fake repositories.
How It Works
The attackers copied real GitHub projects, published them under different accounts, and modified the documentation to include download buttons leading to malicious ZIP files. These ZIP files were cleverly hidden within the repository's folder structure, appearing as ordinary release packages. This deceptive tactic made it easy for unsuspecting users to download harmful software.
Who's Being Targeted
The campaign targets developers, students, and security professionals who commonly use GitHub. Given GitHub's reputation as a trusted platform, the presence of fake repositories alongside legitimate ones adds to the risk of infection.
Signs of Infection
Victims who downloaded the ZIP files would find that a single-line batch script launches a LuaJIT interpreter, which executes an obfuscated Lua script known as SmartLoader. This malware performs anti-debug checks and communicates with a command-and-control server to receive further instructions. Users may not notice anything unusual initially, as the malware hides its console window immediately after execution.
How to Protect Yourself
To safeguard against this type of malware, users and security teams should take the following steps: This campaign highlights the importance of vigilance when downloading software from online platforms, especially those that are widely trusted.
Detection
- 1.Verify the source of any GitHub project before downloading. Prefer official releases over ZIP files buried in repository folders.
- 2.Monitor outbound connections to blockchain RPC endpoints like
polygon.drpc.org, which may indicate dead drop resolver activity. - 3.Watch for batch-launched unsigned executables that reference script files with
.txtor.logextensions, particularly from user-writable paths like Downloads or%TEMP%.
Removal
- 4.Flag multipart POST requests directed at bare IP addresses, especially those with URI paths starting with
/api/or/task/. - 5.Enforce application controls to block unsigned interpreters and script launchers from executing outside standard installation directories.
- 6.Alert on scheduled task creation that points to executables stored under
%LOCALAPPDATA%, especially if command-line arguments referenceraw.githubusercontent.com.
🔒 Pro insight: The use of cloned GitHub repositories for malware distribution underscores the need for enhanced verification processes in open-source software.
