Polygon Powered: Vietnamese Operator Deploys 16 Generations of LuaJIT Malware via GitHub

Security researchers have uncovered a massive, year-long cyber campaign orchestrated by a Vietnamese-speaking operator who has turned GitHub into a primary distribution hub for sophisticated information stealers. The operation, which has been active since March 2025, utilizes a complex multi-stage loader chain and blockchain technology to maintain persistent control over infected hosts.

The campaign is notable for its scale, with “600+ unique malicious ZIP archives confirmed across 47+ GitHub accounts”. As of early March 2026, at least 25 of these accounts remain active and continue to distribute payloads.

The attacker relies on high-intent social engineering lures to find victims. Malicious repositories on GitHub are meticulously designed to “impersonate cracked browser extensions for SaaS tools, gaming cheats, developer utilities, and adult content”.

Each repository contains a ZIP archive that, when extracted, initiates a “LuaJIT loader chain”. ESET researchers tracking the campaign have identified “16 distinct obfuscator generations across the campaign,” ranging from Lua/Agent.Z to Lua/Agent.BT, highlighting the operator’s rapid technical evolution.

In a move to outpace traditional network defenders, the loader does not hardcode its Command-and-Control (C2) address. Instead, it uses the Polygon Mainnet as a decentralized “phonebook”.

The malware “resolves its C2 by calling a getter function on a Polygon Mainnet smart contract”. By updating the stored IP through on-chain transactions, the operator can rotate their infrastructure instantly. This innovative approach ensures that “changing infrastructure does not require updating any deployed binary,” making the botnet incredibly resilient to domain takedowns.

Once the C2 connection is established, the loader fetches a final payload from “dead drop” repositories on GitHub. This payload undergoes a grueling “four-layer chain (hex, XOR, base64url, AES-ECB)” of decryption before revealing itself as the StealC information stealer.

StealC Capabilities Observed:

• Credential Harvesting: Steals saved passwords and auto-fill data from browsers.
• Session Hijacking: Collects cookies and authentication tokens to bypass Multi-Factor Authentication (MFA).
• Reconnaissance: Gathers detailed system information and targets specific file paths for data exfiltration.
• Payload Delivery: Optionally downloads additional malicious modules via PowerShell or msiexec.

The campaign’s infrastructure is heavily concentrated on bulletproof hosting providers. Researchers found that “ASN 207957 (Serv.host Group Ltd) accounts for 37 of the 48 loader IPs and both stealer IPs”.

While the operation was first detected by URLhaus in January 2026, forensics suggest it had already been running for roughly 10 months undetected. The use of Vietnamese-language artifacts and specific naming conventions in the GitHub repositories points toward a “Vietnamese-speaking operator” as the primary architect behind this global theft ring.

Users are advised to exercise extreme caution when downloading “cracked” software or extensions from GitHub, as even legitimate-looking repositories can be part of this vast, automated infection engine.