Security researchers from Trend Micro have identified a new method used by cybercriminals to spread malicious software through fake GitHub repositories. These repositories are disguised as gaming cheats, hacked programs, and utilities, but actually distribute a loader called Smartloader, which then loads Lumma Stealer and other threats.
The criminals behind this scheme utilize generative AI to create believable repositories with descriptions that resemble legitimate projects. Inside the ZIP archives are obfuscated scripts written in LUA, which activate malicious programs when unpacked.
Once the device is infected, Lumma Stealer is deployed to steal cryptocurrency wallets, 2FA codes, accounting data, and personal information, putting victims at risk of financial losses. Previously, attackers would upload individual malicious files to GitHub, but now they create entire fake repositories to make detection more challenging.
Some of the files found in the infected archives include lua51.dll, luajit.exe, userdata.txt, and launcher.bat, which are used to execute the malicious scripts. After execution, Smartloader downloads the “Search.exe” file, triggering Lumma Stealer to connect the infected device to the C2-server “Pasteflawwed [.] World” for data exfiltration.
By leveraging the trust associated with GitHub, cybercriminals are able to effectively distribute malicious software, with the use of AI helping them automate the creation of fake repositories.
To safeguard against this new threat, security researchers recommend taking the following precautions:
| Recommendations: |
|---|
| – Only download from official sources and avoid suspicious repositories. |
| – Verify the authenticity of repositories by analyzing changes, author activity, and documentation structure. |
| – Utilize antivirus solutions to detect and block threats. |
| – Scan downloaded files before opening them. |
| – Implement network security measures to block access to known malicious repositories. |
| – Monitor network activity for any suspicious connections. |
| – Restrict the execution of unauthorized scripts and programs. |
| – Provide training to employees on the risks associated with social engineering. |
With cybercriminals constantly evolving their tactics, taking a proactive approach to