EXECUTIVE SUMMARY
A malware distribution campaign is being operated by a single threat actor or tightly controlled cluster, targeting open source GitHub repositories to deliver a LuaJIT-based loader and a follow-on stealer. The campaign has been active for at least seven weeks, with new repositories appearing as recently as April 12. The actor clones legitimate projects, republishes them under different accounts, and modifies the README to insert download buttons pointing to ZIP files hidden inside the repository tree. These ZIP files contain a LuaJIT-based SmartLoader stage that resolves its active C2 through a Polygon smart contract, allowing the operator to rotate infrastructure without rebuilding the loader or updating every staged sample.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A malware distribution campaign is being operated by a single threat actor or tightly controlled cluster, targeting open source GitHub repositories to deliver a LuaJIT-based loader and a follow-on stealer. The campaign has been active for at least seven weeks, with new repositories appearing as recently as April 12. The actor clones legitimate projects, republishes them under different accounts, and modifies the README to insert download buttons pointing to ZIP files hidden inside the repository tree. These ZIP files contain a LuaJIT-based SmartLoader stage that resolves its active C2 through a Polygon smart contract, allowing the operator to rotate infrastructure without rebuilding the loader or updating every staged sample.[emaillocker id="1283"]
The collected host data is exfiltrated to bare-IP C2 servers via multipart POST, and the server returns encrypted follow-on instructions and tasking. The infection chain is simple and effective, with the victim extracting the ZIP and launching a batch file that starts a LuaJIT interpreter with an obfuscated Lua script as its argument. The SmartLoader stage hides execution, performs a native anti-debug check, resolves its C2, downloads a second Lua stage from GitHub, captures a screenshot, fingerprints the host, and exfiltrates the collected data. SmartLoader also contains the structures and execution primitives needed to decrypt and load PE payloads directly in memory.
The staged malware is a Prometheus-obfuscated Lua script executed by LuaJIT, which uses the Windows FFI to call native APIs directly, hide execution, fingerprint the host, capture screenshots, and execute follow-on content in memory. The actor maintains control through a combination of scheduled tasks and C2 communication. The campaign's success is due in part to its ability to blend in with legitimate GitHub repositories, making it difficult to detect. The actor's use of cloned open source projects and modified README files allows them to avoid raising suspicion, while the ZIP files containing the SmartLoader stage are designed to be inconspicuous. Organisations should be cautious when downloading files from GitHub, especially if they are not familiar with the project or the repository. Patching, monitoring, and backups are essential for preventing and responding to this type of threat, and endpoint protection should be configured to detect and prevent the execution of suspicious files.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Reconnaissance | T1598 | Social Engineering |
| Resource Development | T1583 | Acquire Infrastructure |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1112 | Modify Registry |
| Collection | T1005 | Data from Local System |
| Command and Control | T1105 | Ingress Tool Transfer |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
REFERENCES:
The reports contain further technical details:
https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/
https://cybersecuritynews.com/109-fake-github-repositories-used/