Water Curse: GitHub Supply Chain Attack Spreads Malware via Fake Tools, Targets Devs & Gamers

In a sweeping campaign that blends social engineering with software subversion, a newly identified threat actor dubbed Water Curse has been caught using GitHub to distribute malicious open-source projects laced with multi-stage malware. Trend Micro’s latest threat intelligence report warns that this operation, which has already weaponized at least 76 GitHub accounts, is actively targeting developers, red teamers, and gamers alike.

“Water Curse’s campaign poses a supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams relying on open-source tooling,” the report cautions.

Water Curse’s tactics are alarmingly effective: they publish seemingly legitimate tools—such as email bombers or remote administration utilities—on GitHub, hiding malware in build scripts and project files. Once compiled, these projects unleash a stealthy infection chain powered by obfuscated VBScript and PowerShell.

“These tools… were presented as legitimate penetration testing utilities but were embedded with hidden malicious payloads within their Visual Studio project configuration files.”

Infected systems are subjected to privilege escalation, anti-debugging routines, and system reconnaissance. Persistence is ensured through cleverly named scheduled tasks like “BitLocker Encrypt All Drives” that run malware-laced binaries disguised as system files.

The initial infection begins with a simple ZIP download from GitHub’s standard codeload.github.com endpoint. Hidden <PreBuildEvent> tags trigger execution of a batch script during the build process, which in turn unleashes obfuscated PowerShell commands. These retrieve encrypted payloads, often masquerading as Electron apps.

Once deployed, the malware begins its dirty work:

• Disables Windows Defender and System Restore (disabledefender.ps1)
• Injects code into system binaries like RegAsm.exe
• Establishes persistence using the Windows Task Scheduler
• Collects browser data, session tokens, and credentials
• Exfiltrates stolen data via Telegram and public file hosts like Gofile

“These actions collectively aim to impair recovery mechanisms and increase the persistence and impact of malicious payloads.”

The payloads are sophisticated. In one instance, Trend Micro observed malware posing as NVIDIA Control Panel.exe, which executed system fingerprinting, browser data harvesting, and IP profiling.

Water Curse’s campaign demonstrates a growing threat vector: the infiltration of software supply chains via the very platforms developers trust most.

“The group’s tactics underscore a growing trend of developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”

GitHub has become a double-edged sword—enabling innovation, but also serving as a delivery vehicle for malware hidden behind innocuous-looking repositories. The Trend Micro team mapped Water Curse’s behavior to multiple MITRE ATT&CK techniques, from T1059 (Command and Scripting Interpreter) to T1102.002 (Web Service: Telegram).

While penetration testers and red teamers are top targets, the scope is broader. Water Curse has also deployed game cheats, cryptocurrency bots, wallet stealers, and spam tools. This multivertical targeting hints at a financially motivated actor with deep technical capabilities and scalable infrastructure.

“Their use of stealth, automation, and public exfiltration channels such as Telegram suggests a scalable and persistent campaign, likely part of a broader service-based cybercrime model.”

Related Posts:

• North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
• Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
• Cybersecurity Concerns Loom Over Drinking Water Systems, Says EPA Inspector General Report