Do Son 
The AhnLab SEcurity intelligence Center (ASEC) has uncovered a large-scale malware distribution campaign leveraging GitHub to spread SmartLoader, a loader frequently used to deliver infostealers like Rhadamanthys, Redline, and Lumma Stealer.
According to ASEC, the threat actors are βcarefully crafting repositories to appear as legitimate projectsβ by targeting popular search queries for game cheats, software cracks, and automation tools. Each repository contains a README file and a compressed archive, the latter concealing the malicious payload.
When users search for certain keywords, βthe GitHub repository containing the SmartLoader malware is displayed at the top of the search resultsβ, making it easy for unsuspecting victims to find and download.
The README files are βwell-written and include an overview of the project, a table of contents, key features, and installation and usage instructionsβ, creating an illusion of legitimacy. However, following these instructions leads users to download a ZIP file containing four files β two legitimate executables, a malicious batch file, and an obfuscated Lua script.
The attack chain begins when the victim executes Launcher.cmd, which loads the malicious Lua script through the legitimate luajit.exe loader. SmartLoader then persists by copying itself to the %AppData%\ODE3 directory and creating a scheduled task named βSecurityHealthService_ODE3β.
Once active, SmartLoader βsends a screenshot of the infected PC and its system information to the C2 serverβ, then executes additional malicious commands based on instructions from the server. All C2 communications are Base64-encoded and obfuscated.
ASECβs analysis found SmartLoader downloading three payloads from GitHub, including _x64.bin and _x86.bin, both identified as Rhadamanthys infostealer shellcode. This malware injects into processes like rundll32.exe and dllhost.exe to harvest credentials for email, FTP, and online banking services.
AhnLab warns: βSmartLoader is mainly used to download InfoStealer malware, and there have been many cases of it being used to execute other malware such as Rhadamanthys, Redline, and Lumma Stealer.β
Related Posts:
- AI-Powered Deception: Fake GitHub Repositories Spread SmartLoader and Lumma Stealer
- Fake Game Hacks on YouTube Target Kids with Malware
- Roblox Cheaters Targeted: Skuld Stealer and Blank Grabber Malware Lurks in PyPI Packages
- From Cheating to Thievery: EvolvedAim’s Creator Exposed as Malware Distributor
- Beware of “Cheats” and “Cracks”: DCRat Backdoor Lurks on YouTube
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
