Massive Malware Campaign Exploits 109 Fake GitHub Repositories to Distribute SmartLoader and StealC
A significant malware distribution campaign has been uncovered, involving 109 counterfeit GitHub repositories designed to deceive users into downloading two potent malware tools: SmartLoader and StealC. This operation meticulously replicated legitimate open-source projects, making it challenging for users to distinguish between authentic and malicious repositories.
Deceptive Tactics Employed
The orchestrators of this campaign cloned genuine GitHub projects, re-uploaded them under different accounts, and altered the original documentation to include download links leading to malicious ZIP files. These harmful files were strategically placed deep within the repository’s folder structure, mimicking standard release packages. By preserving most of the original source code, the counterfeit repositories appeared credible, increasing the likelihood of unsuspecting users downloading the malware.
Hexastrike analysts identified these 109 malicious repositories spread across 103 distinct GitHub accounts. The campaign exhibited signs of activity for at least seven weeks prior to their analysis, with new repositories emerging as recently as April 12, 2026. The repositories were updated in batches, rotating download links to new ZIP files—a pattern indicative of centralized control and partial automation by a single threat actor or a closely coordinated group. Consistent archive layouts, README structures, staging patterns, and the use of the same malware families across all repositories further support this assessment.
Broader Implications
The ramifications of this campaign extend beyond individual users. GitHub’s reputation as a trusted platform among developers, students, and security professionals means that counterfeit repositories appearing alongside legitimate ones in search results carry inherent credibility. The threat actors exploited this trust by incorporating unrelated SEO terms into repository descriptions to enhance visibility and attract a broader range of victims.
Once a system is compromised, the malware exfiltrates collected data to command-and-control servers. Additionally, the malware deploys a secondary information stealer named StealC, designed to harvest sensitive data from infected systems.
Mechanism of SmartLoader
Upon downloading and extracting the malicious ZIP file, the victim unknowingly executes a batch script that launches a LuaJIT interpreter. This interpreter runs a heavily obfuscated Lua script known as SmartLoader. To the user, no visible activity occurs, as the malware employs Windows API calls to conceal its console window immediately after execution.
SmartLoader conducts an anti-debug check using native shellcode copied into executable memory—a technique aimed at thwarting security researchers from analyzing its behavior. To identify its active command-and-control server without hardcoding an address, SmartLoader queries a Polygon blockchain smart contract via a JSON-RPC call to polygon.drpc.org, retrieving the live server IP from an on-chain value. This method, known as a blockchain dead drop resolver, allows the operator to update infrastructure by modifying a single on-chain entry rather than rebuilding the malware or altering every staged sample.
After determining the active server, SmartLoader sends a multipart POST request containing host fingerprinting details and screenshots to a command-and-control server identified by its IP address.
StealC: The Secondary Threat
Following the initial infection, SmartLoader downloads and executes StealC, an information-stealing malware. StealC is engineered to extract a wide array of sensitive data from compromised systems, including:
– Browser Data: Credentials, cookies, and browsing history from popular browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, and Yandex Browser.
– Cryptocurrency Wallets: Information from over 30 desktop cryptocurrency wallet applications and browser-based wallet extensions, including Exodus, Electrum, Ledger Live, Atomic, and Trezor Suite.
– Messaging Applications: Data from applications like Telegram and Discord, including tokens and message histories.
– System Information: Screenshots, common system files, and user information.
The stolen data is then archived and discreetly uploaded to an attacker-controlled server, enabling the threat actors to exploit the information for financial gain or further malicious activities.
Mitigation and Recommendations
To protect against such sophisticated supply chain attacks, users and organizations are advised to:
1. Verify Repository Authenticity: Before downloading or executing code from a GitHub repository, confirm the legitimacy of the repository and its maintainers.
2. Examine Download Links: Be cautious of repositories that direct users to download files from external links, especially if they are embedded deep within the repository’s structure.
3. Implement Security Tools: Utilize security solutions capable of detecting and blocking malicious scripts and executables.
4. Stay Informed: Keep abreast of emerging threats and tactics employed by cybercriminals to enhance awareness and preparedness.
By adopting these practices, users can reduce the risk of falling victim to such deceptive and harmful campaigns.
