Cybersecurity researchers have uncovered a beforehand unknown risk actor often known as Water Curse that depends on weaponized GitHub repositories to ship multi-stage malware.
“The malware permits information exfiltration (together with credentials, browser information, and session tokens), distant entry, and long-term persistence on contaminated methods,” Development Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta mentioned in an evaluation revealed this week.
The “broad and sustained” marketing campaign, first noticed final month, arrange repositories providing seemingly innocuous penetration testing utilities, equivalent to SMTP electronic mail bomber and Sakura-RAT, however harbored inside their Visible Studio challenge configuration recordsdata malicious payloads which are designed to siphon delicate information.
Water Curse’s arsenal incorporates a variety of instruments and programming languages, underscoring their cross-functional improvement capabilities to focus on the provision chain with “developer-oriented info stealers that blur the road between purple group tooling and energetic malware distribution.”
“Upon execution, the malicious payloads initiated advanced multistage an infection chains using obfuscated scripts written in Visible Fundamental Script (VBS) and PowerShell,” the researchers mentioned. “These scripts downloaded encrypted archives, extracted Electron-based functions, and carried out in depth system reconnaissance.”
The assaults are additionally characterised by means of anti-debugging strategies, privilege escalation strategies, and persistence mechanisms to take care of a long-term foothold on the affected hosts. Additionally employed are PowerShell scripts to weaken host defenses and inhibit system restoration.
Water Curse has been described as a financially motivated risk actor that is pushed by credential theft, session hijacking, and resale of illicit entry. As many as 76 GitHub accounts have been linked to the marketing campaign. There’s proof to counsel associated exercise could have been ongoing all the best way again to March 2023.
Leveraging GitHub as a malware distribution level is a tactic that has been adopted by a number of risk actors previously. However using a community of GitHub accounts to create malicious repositories significantly overlaps with one other distribution-as-service (DaaS) providing referred to as the Stargazers Ghost Community.
When reached for remark, Test Level Analysis instructed The Hacker Information that it will possibly “neither deny nor verify” if these actions are a part of the Stargazers Ghost Community given the restricted info obtainable. “Nonetheless, we have observed that the
The emergence of Water Curse is the most recent instance of how risk actors are abusing the belief related to legit platforms like GitHub as a supply channel for malware and stage software program provide chain assaults.
“Their repositories embody malware, evasion utilities, sport cheats, aimbots, cryptocurrency pockets instruments, OSINT scrapers, spamming bots, and credential stealers,” Development Micro mentioned. “This displays a multi-vertical focusing on technique that blends cybercrime with opportunistic monetization.”
“Their infrastructure and habits point out a give attention to stealth, automation, and scalability, with energetic exfiltration by way of Telegram and public file-sharing companies.”
The disclosure comes as a number of campaigns have been noticed leveraging the prevalent ClickFix technique to deploy numerous malware households equivalent to AsyncRAT, DeerStealer (by way of a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (additionally by way of Hijack Loader).
AsyncRAT is among the many available distant entry trojans (RATs) that has been put to make use of by unidentified risk actors to indiscriminately goal hundreds of organizations spanning a number of sectors since early 2024. Some elements of the marketing campaign had been documented by Forcepoint in August 2024 and January 2025.
“This tradecraft permits the malware to bypass conventional perimeter defenses, significantly through the use of Cloudflare’s short-term tunnels to serve payloads from seemingly legit infrastructure,” Halcyon mentioned. “These tunnels present attackers with ephemeral and unregistered subdomains that seem reliable to perimeter controls, making it troublesome to pre-block or blacklist.”
“As a result of the infrastructure is spun up dynamically by way of legit companies, defenders face challenges in distinguishing malicious use from licensed DevOps or IT upkeep workflows. This tactic permits risk actors to ship payloads with out counting on compromised servers or bulletproof internet hosting, rising each the size and stealth of the marketing campaign.”
The findings additionally comply with the discovery of an ongoing malicious marketing campaign that has focused numerous European organizations situated in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to ship a named Sorillus RAT (aka Ratty RAT).
Earlier campaigns distributing the malware have singled out accounting and tax professionals utilizing revenue tax return decoys, a few of which have leveraged HTML smuggling strategies to hide the malicious payloads.
The assault chain detailed by Orange Cyberdefense employs comparable phishing emails that intention to trick recipients into opening PDF attachments containing a OneDrive hyperlink that factors to a PDF file straight hosted on the cloud storage service whereas prompting the person to click on an “Open the doc” button.
Doing so redirects the sufferer to a malicious net server that acts as a visitors distribution system (TDS) to judge the incoming request and decide whether or not they should proceed additional to the following stage of the an infection. If the sufferer’s machine meets the required standards, they’re displayed a benign PDF whereas a JAR file is stealthily downloaded to drop and execute Sorillus RAT.
A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that may harvest delicate info, obtain/add recordsdata, take screenshots, file audio, log keystrokes, run arbitrary instructions, and even uninstall itself. It additionally does not assist that quite a few racked variations of the trojan can be found on-line.
The assaults are assessed to be a part of a broader marketing campaign that has been noticed delivering SambaSpy to customers in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware household.
“The operation showcases a strategic mix of legit companies – equivalent to OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity firm mentioned. “The repeated use of Brazilian Portuguese in payloads helps a probable attribution to Brazilian-speaking risk actors.”
