GitHub is considered the most trusted place for developers, but now hackers have weaponized that trust. 109 fake repositories a blockchain powered C2 and a dangerous combination of SmartLoader and StealC. Learn how this campaign works and how you can protect yourself.
When Trust Becomes a Weapon
GitHub is a hotbed in the developer world. People download software, install tools, and explore new projects without much thought, as theres a general sense of trust in GitHub. But hackers exploited this very strategy. A malware campaign emerged that created 109 fake GitHub repositories that appeared to be real and legitimate.
The sole purpose of these repositories was to trick people into thinking they were real, download the ZIP and unknowingly open the door to their systems. This campaign was not just running for a day or two but for more than seven weeks and new accounts kept getting created until it was caught.
Web of Fake Repositories
The first step of this campaign was to create perfect copies of legitimate open-source projects. The hackers targeted repositories that were just becoming popular with new projects, growing star counts and active users. These were cloned and republished through different accounts.
But one thing was changed: the README file. Technical information, installation steps, prerequisites were all removed and replaced with huge download buttons, shields.io badges and every link pointed to a single ZIP file hidden in a deep directory within the repository. From the outside, the repository looked completely real the source code was mostly intact so users had less chance to be suspicious.
What Was Inside the ZIP File?
When someone downloaded this ZIP they would find only 3 or 4 files inside a simple batch file a renamed LuaJIT executable, an optional DLL and an obfuscated Lua script hidden with a .txt or .log extension.
The batch file consisted of just one line, which would launch the LuaJIT interpreter along with the Lua script but no window or anything would appear on the screen; the process would run completely silently. This simplicity was the crux of the campaign no complex installer and no warnings just a ZIP and a single click.
SmartLoader The Malware That Thinks for Itself
The Lua script contained in this ZIP was SmartLoader a sophisticated tool that was very difficult to analyze due to Prometheus obfuscation. This script directly called Windows APIs via LuaJIT FFI (Foreign Function Interface) without any additional tools.
Upon running, SmartLoader first hid its window and then ran an anti-debug check and then performed something that made this malware truly unique it retrieved the address of its C2 server from a smart contract on the Polygon blockchain.
The hackers command server was not hardcoded; update it on the blockchain and the malware would find the new address itself. SmartLoader then fingerprints the victims system and takes a screenshot and sends all the information to C2 via a POST request and receives encrypted instructions back.
The Power of Blockchain
The most technically advanced aspect of this campaign was the use of the blockchain as a C2 resolver. SmartLoader fetched the live C2 URL from a smart contract on the Polygon network via a specific address and function selector.
This means that the hacker can change its server at any time simply by updating the blockchain value, without sending new malware to every infected system, and without changing any DNS records.
This is a practical and more resilient approach to C2 management which makes single-point takedowns largely worthless. When security teams block an IP and the hacker simply updates the contract and the game continues.
Persistence Keeps Surviving Even After Removal Attempts
Simply stealing data was not enough for this actor. SmartLoader created two separate scheduled tasks that ran daily and each had different recovery paths. The first task ran a locally cached Lua stage copied to %LOCALAPPDATA%. This continued to work even if the GitHub staging repo was deleted.
The second task downloaded a fresh encrypted file from GitHub and decrypted it in memory and ran it. It restored the local file even if it was deleted. These tasks were deliberately given confusing names and such as AudioManager_ODM3 or OfficeClickToRunTask_7d7757 to avoid any suspicion from the system administrator.
StealC The Final Payload Strike
SmartLoader did not come alone. This staging repository on GitHub contained an encrypted file that packed StealC an information-stealing malware. SmartLoader already had the capability to load PE payloads into memory without writing anything to disk.
This means it used SmartLoader as a side door to inject StealC directly into the victims system. StealC is a known stealer that targets passwords, browser data, crypto wallets and other sensitive information. This final layer of the campaign confirms that the motive was not just curiosity but serious data theft.
How to Stay Safe What You Can Do
The most important thing to avoid such attacks is the habit of source verification. Before downloading the GitHub repository of any tool or software, confirm that the account belongs to the real developer, the stars and activity are organic, and the download link is to GitHub releases or source code, not a ZIP hidden within the repository.
On a technical level unsigned executables and interpreters like LuaJIT running through user writable paths are suspicious. Blockchain RPC endpoints like polygon.drpc.org are visited by non-browser processes. And multipart POST requests to high profile-IP addresses are a strong red flag. Organizations should include egress controls, application whitelisting, and scheduled task monitoring in their security baseline.
