Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Home/Threats/Fake GitHub Repositories Deliver SmartLoader and StealC Malware
Threats

Fake GitHub Repositories Deliver SmartLoader and StealC Malware

Key Takeaways A widespread malware campaign has been identified, utilizing 109 fake GitHub repositories to distribute SmartLoader and StealC malware. The threat actor cloned legitimate open-source...

Jennifer sherman
Jennifer sherman
April 22, 2026 4 Min Read
41 0

Key Takeaways

  • A widespread malware campaign has been identified, utilizing 109 fake GitHub repositories to distribute SmartLoader and StealC malware.
  • The threat actor cloned legitimate open-source projects, replacing documentation with malicious download links disguised as official releases.
  • SmartLoader employs sophisticated evasion techniques, including anti-debug checks, blockchain-based command-and-control (C2) server resolution, and dual-path persistence.
  • The campaign, active for at least seven weeks as of April 12, 2026, aims to deliver information-stealing malware to unsuspecting users.

Sophisticated GitHub Phishing Campaign Delivers SmartLoader and StealC Malware

A sophisticated malware distribution operation has been uncovered, leveraging over 100 counterfeit GitHub repositories to trick users into downloading two dangerous malware strains: SmartLoader and StealC. This campaign meticulously replicates authentic open-source projects, making it exceptionally difficult for users to distinguish between legitimate and malicious content.

Table Of Content

  • Key Takeaways
  • Sophisticated GitHub Phishing Campaign Delivers SmartLoader and StealC Malware
  • Campaign Scope and Tactics
  • How SmartLoader Operates Post-Infection
  • What You Should Do

The attackers behind this operation cloned genuine GitHub projects, re-published them under new accounts, and altered the original documentation to include download buttons that link to malicious ZIP archives. These ZIP files were strategically embedded deep within the repository’s folder structure, designed to appear as standard release packages. Critically, the original source code of the cloned projects remained largely untouched, lending an air of credibility to the fake repositories upon initial inspection. This tactic ensures that users, trusting a familiar project name or performing a quick code scan, could inadvertently download harmful software.

Campaign Scope and Tactics

Analysts at Hexastrike pinpointed 109 malicious repositories spread across 103 distinct GitHub accounts. The campaign had been active for at least seven weeks prior to their analysis, with new malicious repositories still appearing as recently as April 12, 2026. Researchers observed that the repositories were updated in coordinated batches whenever download links were rotated to new ZIP files. This synchronized behavior strongly suggests centralized control and at least partial automation by a single threat actor or a closely managed group.

Further supporting this assessment, the consistent archive structure, README file layout, staging methodology, and the specific malware families used across all identified repositories pointed to a unified operation.

The broad impact of this campaign extends beyond individual users. Given GitHub’s trusted status among developers, students, and cybersecurity professionals, the presence of fake repositories alongside genuine ones in search results inherently confers a false sense of legitimacy. To further amplify their reach, the threat actors even incorporated irrelevant SEO terms into repository descriptions, aiming to boost visibility and attract a larger pool of potential victims.

Once a system is compromised, data collected from the infected machine is stealthily transmitted to command-and-control servers. The primary malware, SmartLoader, also acts as a dropper for an information stealer known as StealC, which is designed to harvest sensitive data from compromised systems.

How SmartLoader Operates Post-Infection

Upon a victim downloading and extracting the malicious ZIP file, a concise batch script initiates a LuaJIT interpreter. This interpreter then executes SmartLoader, a heavily obfuscated Lua script. From the user’s perspective, no visible activity occurs, as the malware immediately hides its console window using Windows API calls.

Multiple malicious repositories from a single user account (Source - Hexastrike)
Multiple malicious repositories from a single user account (Source – Hexastrike)

SmartLoader then performs an anti-debug check by copying native shellcode into executable memory. This technique is specifically designed to hinder security researchers from analyzing its behavior. To dynamically locate its active C2 server without hardcoding an address, SmartLoader queries a Polygon blockchain smart contract via a JSON-RPC call to polygon.drpc.org. It retrieves the live server IP address from an on-chain value. This innovative method, known as a blockchain dead drop resolver, allows the operator to swiftly change infrastructure by updating a single on-chain entry, eliminating the need to rebuild the malware or modify every staged sample.

ZIP file placed deeply inside the repository directory structure (Source - Hexastrike)
ZIP file placed deeply inside the repository directory structure (Source – Hexastrike)

After successfully resolving the C2 server, SmartLoader dispatches a multipart POST request containing host fingerprinting details and screenshots to a bare-IP C2 server. The server responds with encrypted instructions and tasks. Persistence is then established through two daily scheduled tasks, named to mimic legitimate system processes such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757.”

SmartLoader (Source - Hexastrike)
SmartLoader (Source – Hexastrike)

One scheduled task executes a locally cached copy of the Lua stage, while the other re-downloads a fresh encrypted stage directly from a separate attacker-controlled GitHub repository. This dual-path persistence mechanism ensures the malware’s survival even if one recovery route is detected or remediated. Furthermore, the same staging repository also hosted an encrypted StealC payload, which SmartLoader is capable of decrypting and loading directly into memory without writing it to disk.

What You Should Do

  • Always verify the authenticity of a GitHub project’s source before downloading any archives or installers. Prioritize official releases over ZIP files found nested within repository folders.
  • Monitor outbound connections to blockchain RPC endpoints, such as polygon.drpc.org, particularly from non-browser processes, as this behavior is a strong indicator of dead drop resolver activity.
  • Be vigilant for unsigned executables launched in batches that reference script files with .txt or .log extensions, especially if they are running from user-writable paths like Downloads or %TEMP%.
  • Flag multipart POST requests directed at bare IP addresses, particularly those with URI paths beginning with /api/ or /task/, as these align with SmartLoader’s exfiltration pattern.
  • Implement application controls to prevent unsigned interpreters and script launchers from executing outside of standard installation directories.
  • Configure alerts for scheduled task creation where the action points to an executable stored under %LOCALAPPDATA%, especially when command-line arguments include raw.githubusercontent.com.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Malicious Google Ads Push Crypto Wallet Drainers and Seed Phrase Theft

Next Post

Checkmarx KICS Docker Image Compromised to Inject Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
FIFA World Cup Hype Used by Hackers to Steal PII and Payment Details
July 6, 2026
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Critical ModSecurity Flaws Let Attackers Bypass Firewall Rules
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us