Fake GitHub Repositories Deliver SmartLoader and StealC Malware
Key Takeaways A widespread malware campaign has been identified, utilizing 109 fake GitHub repositories to distribute SmartLoader and StealC malware. The threat actor cloned legitimate open-source...
Key Takeaways
- A widespread malware campaign has been identified, utilizing 109 fake GitHub repositories to distribute SmartLoader and StealC malware.
- The threat actor cloned legitimate open-source projects, replacing documentation with malicious download links disguised as official releases.
- SmartLoader employs sophisticated evasion techniques, including anti-debug checks, blockchain-based command-and-control (C2) server resolution, and dual-path persistence.
- The campaign, active for at least seven weeks as of April 12, 2026, aims to deliver information-stealing malware to unsuspecting users.
Sophisticated GitHub Phishing Campaign Delivers SmartLoader and StealC Malware
A sophisticated malware distribution operation has been uncovered, leveraging over 100 counterfeit GitHub repositories to trick users into downloading two dangerous malware strains: SmartLoader and StealC. This campaign meticulously replicates authentic open-source projects, making it exceptionally difficult for users to distinguish between legitimate and malicious content.
Table Of Content
The attackers behind this operation cloned genuine GitHub projects, re-published them under new accounts, and altered the original documentation to include download buttons that link to malicious ZIP archives. These ZIP files were strategically embedded deep within the repository’s folder structure, designed to appear as standard release packages. Critically, the original source code of the cloned projects remained largely untouched, lending an air of credibility to the fake repositories upon initial inspection. This tactic ensures that users, trusting a familiar project name or performing a quick code scan, could inadvertently download harmful software.
Campaign Scope and Tactics
Analysts at Hexastrike pinpointed 109 malicious repositories spread across 103 distinct GitHub accounts. The campaign had been active for at least seven weeks prior to their analysis, with new malicious repositories still appearing as recently as April 12, 2026. Researchers observed that the repositories were updated in coordinated batches whenever download links were rotated to new ZIP files. This synchronized behavior strongly suggests centralized control and at least partial automation by a single threat actor or a closely managed group.
Further supporting this assessment, the consistent archive structure, README file layout, staging methodology, and the specific malware families used across all identified repositories pointed to a unified operation.
The broad impact of this campaign extends beyond individual users. Given GitHub’s trusted status among developers, students, and cybersecurity professionals, the presence of fake repositories alongside genuine ones in search results inherently confers a false sense of legitimacy. To further amplify their reach, the threat actors even incorporated irrelevant SEO terms into repository descriptions, aiming to boost visibility and attract a larger pool of potential victims.
Once a system is compromised, data collected from the infected machine is stealthily transmitted to command-and-control servers. The primary malware, SmartLoader, also acts as a dropper for an information stealer known as StealC, which is designed to harvest sensitive data from compromised systems.
How SmartLoader Operates Post-Infection
Upon a victim downloading and extracting the malicious ZIP file, a concise batch script initiates a LuaJIT interpreter. This interpreter then executes SmartLoader, a heavily obfuscated Lua script. From the user’s perspective, no visible activity occurs, as the malware immediately hides its console window using Windows API calls.

SmartLoader then performs an anti-debug check by copying native shellcode into executable memory. This technique is specifically designed to hinder security researchers from analyzing its behavior. To dynamically locate its active C2 server without hardcoding an address, SmartLoader queries a Polygon blockchain smart contract via a JSON-RPC call to polygon.drpc.org. It retrieves the live server IP address from an on-chain value. This innovative method, known as a blockchain dead drop resolver, allows the operator to swiftly change infrastructure by updating a single on-chain entry, eliminating the need to rebuild the malware or modify every staged sample.

After successfully resolving the C2 server, SmartLoader dispatches a multipart POST request containing host fingerprinting details and screenshots to a bare-IP C2 server. The server responds with encrypted instructions and tasks. Persistence is then established through two daily scheduled tasks, named to mimic legitimate system processes such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757.”

One scheduled task executes a locally cached copy of the Lua stage, while the other re-downloads a fresh encrypted stage directly from a separate attacker-controlled GitHub repository. This dual-path persistence mechanism ensures the malware’s survival even if one recovery route is detected or remediated. Furthermore, the same staging repository also hosted an encrypted StealC payload, which SmartLoader is capable of decrypting and loading directly into memory without writing it to disk.
What You Should Do
- Always verify the authenticity of a GitHub project’s source before downloading any archives or installers. Prioritize official releases over ZIP files found nested within repository folders.
- Monitor outbound connections to blockchain RPC endpoints, such as polygon.drpc.org, particularly from non-browser processes, as this behavior is a strong indicator of dead drop resolver activity.
- Be vigilant for unsigned executables launched in batches that reference script files with .txt or .log extensions, especially if they are running from user-writable paths like Downloads or %TEMP%.
- Flag multipart POST requests directed at bare IP addresses, particularly those with URI paths beginning with /api/ or /task/, as these align with SmartLoader’s exfiltration pattern.
- Implement application controls to prevent unsigned interpreters and script launchers from executing outside of standard installation directories.
- Configure alerts for scheduled task creation where the action points to an executable stored under %LOCALAPPDATA%, especially when command-line arguments include raw.githubusercontent.com.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.