Massive GitHub Malware Campaign Targets Gamers and Software Pirates with Redox Stealer

A newly uncovered malware distribution campaign is exploiting GitHub repositories to spread Redox Stealer, a malicious information-stealing malware. The campaign, which targets gamers, software pirates, and modding enthusiasts, involves the creation of thousands of GitHub repositories hosting fake mods, game cheats, and cracked software. According to cybersecurity researcher Tim, these repositories are designed to trick users into downloading malware that steals sensitive data, including crypto wallet private keys, banking credentials, and gaming accounts.

Cybercriminals create and distribute thousands of fake GitHub repositories, masquerading as legitimate Roblox, Fortnite, FL Studio, and Photoshop mods or cracks. Once downloaded and executed, the malware silently exfiltrates data to a Discord server, where stolen credentials are harvested by threat actors.

“People create thousands of GitHub repositories with all sorts of things—from Roblox and Fortnite mods to ‘cracked’ FL Studio and Photoshop,” the researcher writes.

To increase visibility, attackers leverage SEO poisoning techniques and strategically manipulate GitHub topics and metadata to rank higher in search results, making it easier for unsuspecting users to find and download the malicious files.

Once a user downloads and runs the infected software, Redox Stealer activates and begins silently collecting sensitive data, including:

• Stored passwords and session cookies from web browsers.
• Banking credentials and cryptocurrency wallet data.
• Steam, Riot Games, and Epic Games accounts.
• Discord authentication tokens for account hijacking.
• Clipboard data, including copied passwords and addresses.

The malware sends all stolen data to a Discord webhook, where attackers manually sift through logs to extract valuable information.

“All the data from your computer is collected and sent to some discord server – where hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts and social media credentials, and even Steam and Riot Games accounts,” the researcher warns.

Tim’s research uncovered over 1,115 repositories following a predefined malicious template, with only 10% raising suspicion through GitHub issue reports. Many of these repositories appear legitimate, featuring fabricated screenshots, fake VirusTotal scan results, and AI-generated README files to avoid detection.

Threat actors automate the creation of repositories, leveraging ChatGPT and other AI tools to slightly modify README texts, ensuring each repository appears unique and evades automated security checks.

The malware payloads are cleverly hidden within RAR and ZIP archives, bypassing GitHub’s automated malware detection. The malicious scripts also obfuscate their code using base64 encoding and dynamic imports, making manual analysis difficult.

“The obfuscated code is a version of Redox Stealer that searches for all valuable things on victims’ computers and silently sends them to some Discord server.”

The attack chain relies on GitHub for malware hosting and Discord for data exfiltration. The stolen data is sent in organized logs, allowing cybercriminals to search for high-value accounts and financial assets.

Despite efforts by security researchers to report these repositories, GitHub’s automated defenses struggle to keep up, as new repositories are continuously uploaded and re-uploaded under different accounts.

Related Posts:

• Hackers make poisoned Final Cut Pro specifically to target Mac users
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit