Executive Summary
- We uncovered a malware distribution campaign built around fake GitHub SmartLoader StealC staging, where cloned open source repositories are used to deliver a LuaJIT-based loader and a follow-on stealer.
- We identified 109 malicious GitHub repositories across 103 accounts that impersonate legitimate projects and redirect users to embedded ZIP files containing a LuaJIT-based SmartLoader stage.
- The campaign appears to be operated by a single threat actor or tightly controlled cluster based on infrastructure overlap, synchronized repository updates, and consistent tooling.
- The staged malware is a Prometheus-obfuscated Lua script executed by LuaJIT. In the samples we analyzed, it uses the Windows FFI to call native APIs directly, hide execution, fingerprint the host, capture screenshots, and execute follow-on content in memory.
- SmartLoader resolves its active C2 through a Polygon smart contract, allowing the operator to rotate infrastructure without rebuilding the loader or updating every staged sample.
- Collected host data is exfiltrated to bare-IP C2 servers via multipart POST. The server then returns encrypted follow-on instructions and tasking.
- Persistence is established through two scheduled tasks with separate recovery paths. One executes a cached local copy. The other re-downloads a fresh Lua stage from GitHub.
- The same GitHub staging repository also hosted an encrypted StealC payload. SmartLoader’s PE parsing and in-memory execution path are consistent with its use as the delivery and reflective loading layer for that follow-on stealer.
- Based on PE compilation timestamps, ZIP metadata, and GitHub commit history, the campaign has been active for at least seven weeks, with new repositories still appearing as of 2026-04-12.
After someone impersonated one of our recent projects, PyrsistenceSniper, on GitHub, we uncovered a broader malware distribution campaign built around cloned open source repositories. The operator copies legitimate projects, republishes them under different accounts, strips the README of its technical content, and replaces it with prominent download buttons. Those buttons point to ZIP files hidden inside the repository tree rather than to GitHub releases or tagged source packages.
The source code is usually left mostly intact. That is what makes the lure work. At a glance, the repository still looks legitimate. The actor changes only the parts that influence user behavior: the README, the repository metadata, and the embedded archive. A user who trusts the project name or skims the source tree can easily be pushed toward a malicious download.
As of 2026-04-12, we identified 109 malicious repositories across 103 GitHub accounts. Based on PE compilation timestamps, ZIP metadata, and GitHub commit history, the campaign has been active for at least seven weeks. New repositories continued to appear during our review.
The infection chain is simple and effective. The victim extracts the ZIP and launches a batch file. That launcher starts a LuaJIT interpreter with an obfuscated Lua script as its argument. In the samples we analyzed, that SmartLoader stage hides execution, performs a native anti-debug check, resolves its current C2 through a Polygon smart contract, downloads a functionally overlapping second-stage Lua script from a separate GitHub repository tied to the same campaign, fingerprints the host, captures a screenshot, exfiltrates the collected data, and receives encrypted tasking in return. SmartLoader also contains the structures and execution primitives needed to decrypt and load PE payloads directly in memory, which is relevant because the same staging repository also hosted an encrypted StealC sample. It then establishes persistence through two scheduled tasks designed to survive partial cleanup.
The Lure – How the Fake GitHub Repositories Work
The operator appears to target repositories that are beginning to gain traction. New projects with recent activity and growing star counts are attractive because users are actively searching for them. By cloning those repositories under different accounts, the fake copies can appear in search results beside the real project.
The README modifications follow a consistent pattern. Technical content is stripped out. Installation steps, prerequisites, development notes, and contribution guidance are removed. In their place, the actor inserts prominent download buttons using shields.io badges, colored markdown buttons, and direct links. Every link in the README points to the same ZIP file buried deep in the repository.
The actor also modifies repository descriptions and topics. In several cases, unrelated SEO terms were appended to increase search visibility. Combined with a cloned codebase and a plausible-looking repository structure, those additions help the fake project appear credible long enough to drive a download.
We assess this activity is primarily tied to a single threat actor or tightly controlled cluster. The strongest signals are operational consistency and infrastructure overlap. Repositories across different accounts are updated in batches when download links rotate to new ZIP files. The archive layout, README structure, staging pattern, and malware family remain stable throughout the campaign. That points to centralized control and at least partial automation.
Several accounts host multiple malicious repositories at once. The profiles themselves appear mixed. Some were created recently and show little or no prior history. Others display older benign contributions before pivoting into malware distribution.
Across the accounts we reviewed, recent contribution activity often appeared clustered rather than organically distributed over time. That pattern may reflect the operator’s routine maintenance workflow, including repeated README and link updates across staged repositories, rather than meaningful long-term development activity.
The ZIP Files – Bundled SmartLoader Archives
All 109 identified repositories contain a single ZIP file buried deep in the directory structure. The path often resembles an ordinary project archive, such as repo/some/deep/path/project-name-version.zip. That placement appears deliberate, intended to make the archive blend into the repository tree rather than stand out as the actual lure.
The ZIP contents are consistent across the campaign. Samples contain either three or four files: a one-line batch launcher, a renamed LuaJIT executable, an optional lua51.dll, and an obfuscated Lua script stored under a benign-looking .txt or .log filename.
We identified six cosmetic variants across all repositories. Some use four files, with a small frontend that dynamically loads lua51.dll. Others collapse to three files by statically linking the Lua runtime. Executable names rotate between generic labels such as loader.exe, unit.exe, boot.exe and java.exe. Script filenames vary between .txt and .log extensions. However, the execution model is the same in every case.
Across all variants, the executables are LuaJIT 2.1.0-beta3 interpreter builds compiled as GUI subsystem PEs, so no console window appears when they run. The malicious logic sits in the bundled Lua script. File-level reuse is common. We observed byte-for-byte identical ZIP files reused across repositories in the same batch. ZIP timestamps ranged from 2026-02-19 to 2026-04-05.
Technical Analysis
Execution Chain
The initial launcher is minimal. It is typically a single-line batch file:
start <exe> <payload>
The use of start detaches the new process, while the GUI subsystem flag suppresses the console window. The Lua stage then calls GetConsoleWindow and ShowWindow(SW_HIDE) through LuaJIT FFI as a second layer of concealment. From the victim’s perspective, nothing visible happens on screen.
The Executables
All observed executables are LuaJIT 2.1.0-beta3 PE64 GUI builds. None were signed and none contained version metadata. In the four-file variants, a small frontend loads lua51.dll dynamically. In the three-file variants, the Lua runtime is linked statically. We observed multiple compilation generations with regular refreshes, which aligns with the repeated ZIP and link rotation visible across the campaign.
The Obfuscated Lua Scripts
All staged Lua scripts are single-line files between roughly 296 KB and 309 KB, obfuscated with Prometheus. Constants are hidden behind arithmetic identities, strings are permutation-encoded, variable names are randomized, and execution is routed through a custom VM dispatcher. C2 addresses and download URLs are stored inside encrypted blobs that require runtime decryption.
The obfuscation is not decorative. It is central to how SmartLoader delays analysis and hides operational details until execution.
SmartLoader Behavior
SmartLoader uses LuaJIT’s foreign function interface to call the Windows API directly from Lua. Early in execution, it loads ffi and declares a broad set of native structures and function prototypes, giving the script access to memory management, process control, windowing, and graphics APIs without requiring additional native components on disk.
This execution flow is consistent with known SmartLoader behavior. It hides its console window, performs an anti-debug check using native shellcode copied into executable memory, resolves its C2, downloads a second Lua stage from GitHub, captures a screenshot through the GDI pipeline, fingerprints the system, and exfiltrates the collected data to C2.
The FFI declarations also include PE header and export parsing structures together with thread creation primitives, which is consistent with SmartLoader’s known support for in-memory PE loading. In that context, the observed behavior matches SmartLoader’s established role as a loader that supports host profiling, data collection, persistence, and follow-on execution.
Blockchain Dead Drop Resolver
SmartLoader does not hardcode its live C2 address directly in the Lua stage. Instead, it performs a JSON-RPC eth_call against polygon.drpc.org and queries the Polygon smart contract at 0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc using function selector 0x3bc5de30.
The contract returns an ABI-encoded string containing the active C2 URL. During analysis, we observed two returned addresses:
http://144.31.57.65http://144.31.57.67
Both sit in the same /24.
This functions as a dead drop resolver. The operator can rotate infrastructure by updating a single on-chain value rather than rebuilding the malware, modifying every staged sample, or changing DNS. It is a practical way to decouple malware distribution from C2 management and reduce the value of single-node takedowns.
C2 Communication
Once SmartLoader resolves the active server, it sends a POST request to /api/<base64_victim_id> on the bare-IP C2. The request body is multipart/form-data and includes host metadata together with collected data from the infected system. In the samples we analyzed, the exfiltrated content included screenshots and host fingerprinting details.
The server responds with JSON containing two encrypted fields:
{
"loader": "<base64-encoded encrypted instructions>",
"tasks": "<base64-encoded encrypted task list>"
}
Follow-on task completion is later reported back through POST /task/<base64_victim_id>, which returns HTTP 204.
Persistence
SmartLoader establishes persistence through two daily scheduled tasks with separate recovery paths. The task names and local staging directory names vary across samples, but the persistence design remains consistent. In the samples we reviewed, names such as AudioManager_ODM3 and OfficeClickToRunTask_7d7757 were used to masquerade as legitimate software activity.
In one path, SmartLoader copies the LuaJIT binary, the downloaded second-stage Lua file, and lua51.dll into a directory under %LOCALAPPDATA% and executes the locally cached Lua stage on subsequent runs. That path continues to work even if the GitHub staging repository is removed after the initial infection.
In the second path, SmartLoader copies the interpreter and original payload components into a separate directory under %LOCALAPPDATA%, but does not rely only on the cached copy. On each execution, it reaches back to GitHub, downloads a fresh encrypted staging file, decrypts it in memory, and continues execution with the recovered Lua stage. That path restores access if the local second stage is deleted or corrupted.
Second-Stage Staging on GitHub
The second-stage repository observed in this infection chain was deepanshugoel99/long, a sparse GitHub repository with a single commit and minimal visible activity. It hosted two encrypted staging files under long/long/ rather than plaintext payloads.
The file SmartLoader actively retrieved was https://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message1.txt.
That file is not a readable Lua script on its own. To understand what it contained, we traced the staged-content decryption routine in SmartLoader and recovered the key material used for the GitHub-hosted blobs. Applying that same routine to message1.txt recovered a.lua, a functionally overlapping Lua stage.
That recovered Lua stage behaved almost identically to the original SmartLoader Lua payload. It resolved the same C2 through the same Polygon contract, communicated with the same infrastructure, and created the same scheduled tasks. The small differences were operational and packaging-related, not architectural. In practical terms, a.lua is best understood as a redundant SmartLoader stage used for persistence and re-delivery.
Staged StealC Payload
A second encrypted file, message2.txt, was present in the same staging repository and was fetched during the observed infection chain. We analyzed it using the same staged-content decryption logic and key base recovered from SmartLoader and used to decode message1.txt. That process recovered a packed x64 PE consistent with StealC. The decrypted binary has SHA256 87de3e5a8ef669589c421220cd392ae8027a8f8d3cd97d35ac339f87dcff12c8 and a PE compilation timestamp of 2026-04-10 20:06 UTC, roughly twelve minutes before the staging repository was created.
Operationally, that matters because it matches the execution model SmartLoader already exposes. The Lua stage defines PE parsing structures, allocates executable memory, resolves imports, and starts execution using thread creation primitives. In other words, the same loader used to retrieve and execute encrypted Lua content from GitHub is also capable of decrypting and reflectively loading a PE such as StealC without writing it to disk.
Detection
- GitHub raw content downloads — Monitor for outbound requests to
raw.githubusercontent.comandgithub.comthat fall outside established developer baselines. This detection carries inherent noise in engineering-heavy environments. It is most viable in organizations that already enforce strict egress controls and maintain an approved software inventory. Without that baseline, expect a high false-positive rate that limits operational value. - Batch-launched unsigned executables with script arguments — Look for
cmd.exeprocess creation events where the command line includesstartfollowed by an unsigned executable and an argument ending in.txtor.log. Execution from user-writable locations such as%TEMP%,Downloads, or paths consistent with recently extracted archives increases confidence. The combination of an unsigned binary, a non-standard script extension, and a transient directory is unusual enough to warrant investigation even in noisy environments. - Lua runtime loaded from non-standard paths — Track DLL load events for
lua51.dlloriginating from directories outside expected software installation paths such asProgram Files. Loading from%TEMP%,%LOCALAPPDATA%, or arbitrary user profile subdirectories has no legitimate justification in most enterprise environments and directly reflects the staging layout used throughout this campaign. - Blockchain RPC resolution from non-browser processes — Identify DNS queries or outbound connections to
*.drpc.organd known Polygon or Ethereum JSON-RPC endpoints initiated by processes other than web browsers. Outside of cryptocurrency wallets and blockchain development tooling, this activity has a very narrow legitimate footprint and serves as a reliable early indicator of dead drop resolver behavior. - Smart contract C2 resolution query — Inspect HTTP POST bodies for
eth_callrequests targeting contract address0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdcor referencing function selector0x3bc5de30. This is a high-fidelity indicator directly tied to the observed infrastructure and is unlikely to appear in benign traffic. - Multipart POST to bare-IP addresses — Flag outbound
multipart/form-dataHTTP POST requests directed at bare IP addresses where the URI path starts with/api/. The absence of a hostname, combined with multipart encoding and a generic API path, is a pattern rarely seen in legitimate application traffic and aligns with SmartLoader’s exfiltration behavior. - Task completion callbacks to bare-IP destinations — Monitor for HTTP POST requests to URI paths matching
/task/on bare-IP servers. In this campaign, SmartLoader uses this endpoint to confirm completed tasking. The combination of a bare IP, a short predictable path, and a POST with no meaningful response body is distinctive. - Scheduled task creation referencing %LOCALAPPDATA% — Alert on
schtasks.exe /createinvocations where the scheduled action points to an executable under%LOCALAPPDATA%, particularly when the associated command-line arguments include.txt,.log, orraw.githubusercontent.com. The creation of two or more such tasks within a short window is a strong compound signal. After baselining legitimate scheduled task behavior, this detection should produce minimal noise in most environments. - ZIP archives pairing Lua runtime components with batch launchers — Detect the co-occurrence of
lua51.dllor a LuaJIT interpreter binary alongside.bator.cmdfiles within the same archive or newly created directory tree. This combination is structurally consistent across every observed variant in the campaign and is uncommon enough in legitimate software distribution to serve as a reliable static or on-access indicator.
Prevention
This campaign depends on a user downloading a ZIP from a fake repository and running the included launcher, which makes source verification the most effective control. Users should validate the publisher and prefer official releases over archives buried in the repository tree. Traffic inspection at the proxy or TLS layer helps surface staged payload retrieval and bare-IP exfiltration. Application control blocks unsigned interpreters and script launchers from running out of user-writable paths. Egress rules that block Polygon and other blockchain RPC endpoints disrupt the dead drop resolver, and restricting raw GitHub downloads limits second-stage staging.
Wrap Up
This campaign is effective because it keeps the lure simple and the execution chain quiet. The operator cloned 109 repositories across 103 accounts, replaced legitimate documentation with download funnels, and delivered a LuaJIT-based SmartLoader stage that hides execution, resolves C2 through a blockchain dead drop, collects and exfiltrates host data, maintains persistence through two independent scheduled tasks, and supports in-memory follow-on payload execution.
The technical choices are pragmatic. GitHub provides both initial delivery and second-stage staging. A Polygon smart contract provides an updateable C2 resolver. Bare-IP servers handle collection and tasking. LuaJIT FFI provides direct access to native APIs without requiring additional dropped components. And the same staging workflow can support both redundant Lua stages and encrypted PE follow-on payloads such as StealC. Together, those choices make the campaign easy to replicate, easy to refresh, and harder to disrupt through single-point takedowns.
We will keep monitoring and submitting removal requests. But the broader lesson is straightforward. Repository removal is reactive. Impersonation is cheap, trusted project names are easy to reuse, and fake repositories can be recreated faster than they are taken down. Maintainers should monitor for lookalike projects, and users should verify the source of any GitHub-hosted tool before running it.
Indicators of Compromise
File Hashes
| IoC | Type | Category | Filename | Last Seen |
|---|---|---|---|---|
2273702dfbcfd96a6ed7bdb42ba130291b653869256ec1325bc7fe30e8d9b70a | SHA256 | ZIP archive | Sniper_Pyrsistence_v2.6.zip | 2026-04-12 |
2d72abb33b8428a3a73fb64a03e6ac84595c4b1636f190f2936fadec3c8792f6 | SHA256 | ZIP archive | founders-kit-3.0-beta.5.zip | 2026-04-12 |
b04db6cae604d2ab1542e3c0cf1a4a3bb8d76562556f7275efe25bb90fc1da19 | SHA256 | ZIP archive | score_global_health_assistant_home_v1.2.zip | 2026-04-12 |
d92ac938494c2c74c73f3ca28c5c7148d0a03024b46630192a9348259b7b3665 | SHA256 | ZIP archive | Player_One_3.7.zip | 2026-04-12 |
3299b85734e03cbb767d10f89384f666c35d6863198a7c6c0004ef19fcc76bc3 | SHA256 | ZIP archive | nightlights-district-india-viirs-v1.2.zip | 2026-04-12 |
c324560d4310849fd6b86e126514b20512905eee7ee94a2152f4314bb4055649 | SHA256 | ZIP archive | dumper-cpp-1.7.zip | 2026-04-12 |
2c3c4f1e3401c7baa804c21164b17a2ab50b3462ab09fcdccec35c8faa8e17fb | SHA256 | ZIP archive | client-qclaw-wechat-3.5-beta.4.zip | 2026-04-12 |
58b98acb7dc26d8130c20b38ad040e5e7042eac38f12205248595697143c4297 | SHA256 | ZIP archive | skills_product_ai_v3.9-beta.3.zip | 2026-04-12 |
10cbcb3fb25205a53ea9fe4fad46f45a349f7da8de22dd53a1ce16a920059720 | SHA256 | ZIP archive | skill_uncodixify_v3.8.zip | 2026-04-12 |
bc95563880f17f4c3fc0fd8d3f7abc37b14ffb3daa627f92d5bd0b4f457d54e2 | SHA256 | ZIP archive | commerce-agent-enstatite.zip | 2026-04-12 |
13690a008d375908399e7f0bf8d1b4733498f1145166c7788fb9966c3b551b2f | SHA256 | ZIP archive | Server-Pirate-LL-ferfet.zip | 2026-04-12 |
12a09f9425cd4058956214b237ec82577c7b9ae15f323c28d3b4ad846d0d2f6b | SHA256 | ZIP archive | ts-symphony-chloromethane.zip | 2026-04-12 |
b599a00d1226f6e0d433bf9be89958d6d4600a365c8e16bd86b4603e2552bf37 | SHA256 | ZIP archive | Software_v2.2.zip | 2026-04-12 |
998e14a100d1f541f9fd59f4e58dd86e76fe7a105b02646d3487f18583d46c42 | SHA256 | ZIP archive | calendar-dashboard-task-2.2.zip | 2026-04-12 |
ebe63bd7715e7b2ff0b25c9bb6540a904f7195fb9fb2d405bd0cb5c0c4d34476 | SHA256 | ZIP archive | Software-3.2.zip | 2026-04-12 |
3217ae928395e00d873cccdf2adfa7828fe319fc84501453e702af91a0af2596 | SHA256 | ZIP archive | Token-Stream-2.2.zip | 2026-04-12 |
e12e7d4d7c5ccf825c9c0ba3af32a9d575d1624ad6e3998e7a71c3e0939c0d61 | SHA256 | ZIP archive | Download-Ninja-Full-Ripper-3.7.zip | 2026-04-12 |
012b49c7f60bbe0501e61fc62c9b7dd69be9bbf15cb36a840a293b3cb066b865 | SHA256 | ZIP archive | agent_workspace_v1.5.zip | 2026-04-12 |
275275b5099a63724b6f525c1e9de082829e710078e8605c0286998b5a02e75d | SHA256 | ZIP archive | autotrader-openclaw-v3.1-beta.5.zip | 2026-04-12 |
7e107cc2db66be4c9a90c2ef81f21ae2893962e1040531dff0305d9283f27387 | SHA256 | ZIP archive | Stealer_Hades_1.4-beta.3.zip | 2026-04-12 |
768c28bff5e2ccd991a4a5cbfe3331015e3262cbc007829631483b46aa582cbc | SHA256 | ZIP archive | Impacket_Reference_1.5.zip | 2026-04-12 |
6b518855404b7281246aab93a46288b25f0cb0f09cdeb820e677ef615bf3fda4 | SHA256 | ZIP archive | Open-RL-Claw-3.9.zip | 2026-04-12 |
572acf0d7a3801b9bc41f626bac781d75ea1f99770b176079ae5f9a347c09b78 | SHA256 | ZIP archive | Amazon_Analysis_Product_Excel_Sales_Revenue_semiegg.zip | 2026-04-12 |
4b3231da6ba13aa1e1eb8dd371e287bc18505273bca5bda80065c60b024549b8 | SHA256 | ZIP archive | MCP_EVOKOR_3.4.zip | 2026-04-12 |
1aacc8cb9694293dc152891fc26de64a2061b31a066d297373cdc87da54b6fd8 | SHA256 | ZIP archive | Audio_Auditor_v1.8.zip | 2026-04-12 |
d142be1fc9a7eec7ec26aeea75e5f7a175c4ab9b2ee36b958280873bc3861b2e | SHA256 | ZIP archive | smart_miner_money_2.0.zip | 2026-04-12 |
a50c4c26597cb4dc3ce340e1de0ec929b4a7ab0954a6ba214a32f158f01d6a8a | SHA256 | ZIP archive | Gov_Tracker_Blocklist_madnesscc_E_by_v2.3.zip | 2026-04-12 |
9de5dc4192a9dea43d9ff6289bb276bb3f2c244c15821b6d31fab90258b23149 | SHA256 | ZIP archive | Glider-UI-v2.7.zip | 2026-04-12 |
2149a0c948d87f6a80ebb4abddf742c2383f59c7558a313caa0c0fd3bd3cdeef | SHA256 | ZIP archive | Enhance-Prompt-1.6.zip | 2026-04-12 |
a6fce76371d8b950b22bbea5a94d5688c19368979d06b2ef3c41f18ce6ada4c3 | SHA256 | ZIP archive | waf-mango-1.2.zip | 2026-04-12 |
a90898926236de8b574b50ef8c6c0411b193383d6db2214d73ead27c65867fd5 | SHA256 | ZIP archive | Ultra-Clopix-Delta-v2.7.zip | 2026-04-12 |
44d5de84ee0c31517d114640ba9b9b307ea9e1ec4e591de42cbb4d07ceb5e6c3 | SHA256 | ZIP archive | App-Vesper-AI-2.9.zip | 2026-04-12 |
f5bdf3d6c1376476b0d9eb0e74aa5aa8ccc7378068531c8346d76fbef04c6a6e | SHA256 | ZIP archive | hub_premium_access_marketmuse_v3.7.zip | 2026-04-12 |
5b09803d2acbec734d9c88496f9590bb7cbaf5392607ef0f20f79fe177f7fd83 | SHA256 | ZIP archive | Dumper_Zygisk_Il_Cpp_v3.4.zip | 2026-04-12 |
d8469b109bb22ad367c19971e1065074527af144d4c1e7d7a4cfb0f2d6e12767 | SHA256 | ZIP archive | dashboard-pump-fun-v2.6.zip | 2026-04-12 |
9f6368bccedd005075fe991719719b0df5af22df697cab76aa6b4392d38394b1 | SHA256 | ZIP archive | bread_simulator_run_toolkit_3.6.zip | 2026-04-12 |
0a4bce0f0461335585550598ff33c40a389465f7d0094212bee40b7f525de123 | SHA256 | ZIP archive | hoshan-vehicles-2.3.zip | 2026-04-12 |
f6d10e879324c36914002ebd989e1a6fdc50e29257078a95e975f18b42f69836 | SHA256 | ZIP archive | ecommerce_theme_gatsby_v3.0.zip | 2026-04-12 |
fad3d429172932b72e50f52af169a80439464e3538d97810509090e2e6cdf32a | SHA256 | SmartLoader LuaJIT interpreter | loader.exe | 2026-04-12 |
bff0904456e3151221d29ed1d7c88fc31587efbdfb28817cdcb7ec7f20cade21 | SHA256 | SmartLoader LuaJIT interpreter | selector.exe | 2026-04-12 |
bbd438d3d7a59152f1dd5e45bb8d22ee1c07f95cfe42cebbe756aaf4feadc875 | SHA256 | SmartLoader LuaJIT interpreter | unit.exe | 2026-04-12 |
d1557bc3f5d8542f9b7f8e80b02283397d2e437386a6662251c4fc7342167cda | SHA256 | SmartLoader LuaJIT interpreter | unit.exe | 2026-04-12 |
167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9 | SHA256 | SmartLoader LuaJIT interpreter | load.exe | 2026-04-12 |
8b42ca9d05badf0e7327d816a56e5516431ae34627da68e12ae9347f365b2668 | SHA256 | SmartLoader LuaJIT interpreter | compiler.exe | 2026-04-12 |
d56213d08fb10c880f17e1a262bf1176cf234d1fc591188171e7be9cd856eb12 | SHA256 | SmartLoader LuaJIT interpreter | util.exe | 2026-04-12 |
3595a6b226ce4daa0a28edea152b3a887c01f6323db1d082f6568c995cdefb55 | SHA256 | SmartLoader LuaJIT interpreter | luajit.exe | 2026-04-12 |
e69873a3ef03b289aba8a0ec7130247dc5f2a3ce8c3b647b44518a899f39f789 | SHA256 | SmartLoader LuaJIT interpreter | luajit.exe | 2026-04-12 |
f3e34c9e36f3be065d80d456281d31dd1cc85eb4980db7fa8c1b0eb6f29c25d8 | SHA256 | SmartLoader LuaJIT interpreter | luajit.exe | 2026-04-12 |
09e0f7616dfd2f7eb2876f6ef7331d6dbc78775acd594a94b0397a56717d1fcc | SHA256 | SmartLoader Lua runtime DLL | lua51.dll | 2026-04-12 |
440ceb0dc5911faca54ed9a4dd186dad3d006ae4f52d0bb7d1e4b4edd8c3693a | SHA256 | SmartLoader Lua runtime DLL | lua51.dll | 2026-04-12 |
e450152d8dd9f7d2d92dbd53461a38ee8f154b69b2558ed43b5d3f603a43240a | SHA256 | SmartLoader obfuscated Lua payload | proto.txt | 2026-04-12 |
76afe60e675e68906a2de61d45c46aa6502fe7f9c298260c226a4382744f4212 | SHA256 | SmartLoader obfuscated Lua payload | func.txt | 2026-04-12 |
25aff351f5b4195f33e2fb862f71e3668e699f2311e7844e277b8256a6cb47c0 | SHA256 | SmartLoader obfuscated Lua payload | package.txt | 2026-04-12 |
54bbd79ed1ee26d3e7aa079963ba26c36aa683c01cc8b05b6d255da8634df006 | SHA256 | SmartLoader obfuscated Lua payload | package.txt | 2026-04-12 |
830ec7352972fd1eb24fcaf72349ef9a27dd9f26f24552d6b68b87ffeada1212 | SHA256 | SmartLoader obfuscated Lua payload | package.txt | 2026-04-12 |
f9436ccb986760ca379d6cd2f00726e032a1d9c250a9bd261d40d98b914e7ef9 | SHA256 | SmartLoader obfuscated Lua payload | dynasm.txt | 2026-04-12 |
3989cdf958d258244f3a72bac594214112ffe1008d4d81233a5911482dd302ca | SHA256 | SmartLoader obfuscated Lua payload | buff.log | 2026-04-12 |
c7b71a992c6ca1467164b643136d986c0eec28548f30533456a3ea0f442c85a8 | SHA256 | SmartLoader obfuscated Lua payload | buff.log | 2026-04-12 |
59c2115caf3104184de6cbc64c4029886b7302e1fa58acc910a2c567222e8616 | SHA256 | SmartLoader obfuscated Lua payload | static.txt | 2026-04-12 |
8cede35b80b1deaf732c2b178d908f91b3e7a0c114d06dfae9075b8a9bf78b8f | SHA256 | SmartLoader obfuscated Lua payload | uix.txt | 2026-04-12 |
d067cacea4ec623dc715c27ff7568d14988af0be1f3db32d332f27744114f9ba | SHA256 | SmartLoader obfuscated Lua payload | x64.txt | 2026-04-12 |
a93ac4fb3f9dadc22f7b7f1877bc99b84a77fe3bbe560bdd20bbd7c4b6f9c1d6 | SHA256 | SmartLoader obfuscated Lua payload | tree.txt | 2026-04-12 |
e1e6e28bc665b242fd4b496caf2542042d5720e87ea74551735664c202c486c7 | SHA256 | SmartLoader launcher script | Launcher.bat | 2026-04-12 |
3658fc38c10867e30e3c5c98a7a392e452a4ba497c8a674ff26554bc09f032b0 | SHA256 | SmartLoader launcher script | Application.cmd | 2026-04-12 |
b0f0b6e38f77c518ebfaf691d729636d82cc59dc2a329d7454e11f74a2cb2d3f | SHA256 | SmartLoader launcher script | Application.cmd | 2026-04-12 |
cd4d2b6dc9c764c3f2b2b003bce035053a8ce81420c7ea886c76611219cae4ae | SHA256 | SmartLoader launcher script | Application.cmd | 2026-04-12 |
7e8bd9ba64fcbd1cb753baa2f7bc8d5d7f3e91552bcdc9ec1ec04edd4916ff33 | SHA256 | SmartLoader launcher script | Application.cmd | 2026-04-12 |
af6f59bd3caee5daa2d6765dd8c1bc167060a9681617ee1e2aff32f1eda3477c | SHA256 | SmartLoader launcher script | Application.cmd | 2026-04-12 |
a91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0 | SHA256 | SmartLoader launcher script | Application.bat / App.bat | 2026-04-12 |
c3b56d68c80c4a6a9879c45a7761a538e3546644623af1ee469d3b70130fa0cd | SHA256 | SmartLoader launcher script | Application.bat | 2026-04-12 |
ce1e33483d353200a266b3bc383ccf500e5a760c6dcd8218747260f5bbe39509 | SHA256 | SmartLoader launcher script | Launcher.cmd | 2026-04-12 |
592ec6f529721acbe07100c5386c58ca20fddfee7ac90280943fc2a61661e2be | SHA256 | SmartLoader launcher script | Launch.bat | 2026-04-12 |
212C76DAF355EDE116EB04D4F9D08A112D07940A14DC248BC568FF1BA0A64E18 | SHA256 | Encrypted second-stage on GitHub (message1.txt) | 2026-04-12 | |
87de3e5a8ef669589c421220cd392ae8027a8f8d3cd97d35ac339f87dcff12c8 | SHA256 | StealC packed binary decrypted from message2.txt | 2026-04-12 |
Network Indicators
| IoC | Type | Category | Last Seen |
|---|---|---|---|
144.31.57.67 | IPv4 | SmartLoader C2, SERVHOST-AS, United Kingdom | 2026-04-12 |
144.31.57.65 | IPv4 | SmartLoader C2, SERVHOST-AS, United Kingdom | 2026-04-12 |
213.176.73.149 | IPv4 | StealC C2 | 2026-04-12 |
https://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message1.txt | URL | Second-stage Lua payload hosted on GitHub | 2026-04-12 |
https://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message2.txt | URL | StealC payload hosted on GitHub | 2026-04-12 |
0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc | Polygon contract | Blockchain dead drop resolver returning C2 IP | 2026-04-12 |
0x3bc5de30 | Function selector | Smart contract method called to retrieve C2 address | 2026-04-12 |
polygon.drpc.org | Domain | Polygon RPC endpoint used by SmartLoader | 2026-04-12 |
POST /api/<base64_victim_id> | URL pattern | Exfiltration endpoint (multipart/form-data) | 2026-04-12 |
POST /task/<base64_victim_id> | URL pattern | Task completion callback endpoint | 2026-04-12 |
Repositories
| IoC | Type | Category | Last Seen |
|---|---|---|---|
https://github.com/stcitlab1/PyrsistenceSniper/ | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Shonpersus/founders-kit | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/therajeshpatil/home-assistant-global-health-score | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Cherishpolyploid691/One-Player | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/eltayep2/india-district-nightlights-viirs | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/jayed50/cpp-dumper | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Arlinablind800/qclaw-wechat-client | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/amosshadowy76/ai-product-skills | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/anubhavsingh-0218/uncodixify-skill | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/AlexSilgidzhiyan/agent-commerce | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/somya-droid/Pirate-LLM-Server | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/ashiskumarnanda/symphony-ts | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/rakibul3790/mdexplore | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Cobras1934/task-calendar-dashboard | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/mohadesehfllh/whispr | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/FILDA007/TokenStream | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/halim2023/Ninja-Ripper-2.13-Full-Download | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/pandu1992/agent-workspace | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/freefire2chyko-a11y/openclaw-autotrader | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/silent-whisper/Hades-Stealer | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Lyrothanak20/Impacket_Reference | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/sabalearning01/OpenClaw-RL | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/minullaksen/Amazon_Sales_Product_-_Revenue_Analysis_Excel | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/shripadk1999/EVOKORE-MCP | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/viktor820/AudioAuditor | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/arnautoff1/smart-money-miner | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/CobraZero969/EU-Gov-Tracker-Blocklist-by-madnesscc | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/hayate001/GliderUI | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/wtfhanin/Enhance-Prompt | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/jakariyaox-dot/mango-waf | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/AdebSamra/Delta-Clopix-Ultra | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/shmilymaria/VesperAIApp | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/AdebSamra/marketmuse-premium-access-hub | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/hayate001/Zygisk-Il2CppDumper | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/arnautoff1/pump-fun-dashboard | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/sabalearning01/bread-run-simulator-toolkit | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/eltayep2/hoshan-vehicles | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/mohadesehfllh/gatsby-ecommerce-theme | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Casheu1/perplexity-2api-python | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/usernamedoxelghk/WindsurfSwitch | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/GamerX3560/Aria-V-7.1 | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/oliverkanda254/medusa-mobile-react-native | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/haren2312/medusa-mobile-react-native | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Jonaskouame/Phone-Number-Tracker | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/h4vzz/awesome-ai-agent-skills | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Sriv4/insta-hack-termux | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/renny2020/Open-UI | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/YahiaGrdh/vibe-agents | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/abuferas1262/yandex-speedtest-cli | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/CuddlyPaws22/codeclaw | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/jessevanwyk1/claude-scholar | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/ejfhgo/hacker-Toolkit | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Ksalazar29/deepseek-claw | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Pr-E/openclaw-master-skills | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/mreshuu/STForensicMacOS | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/phongdshh-debug/Ghost-MSG | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/TalangoJames/fractals | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/GH8ST007/llms_with_google_cloud | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/mohamedfaro7/Chuks-YT-Live_AI | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/mrizky214/task-runner-1771921051-1 | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/sidiishan/soul.py | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Xhtira20/scraped | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Always15dppk/register | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/omkargundle/claude-usage-bar | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/fajarsm14/epic-games | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/JoOdSy/mini-apps | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/MPB0828/Greenhouse-Gas-Emissions-Forecasting-with-ARIMA-LSTM | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/twinklew9/notes2latex | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Sawyer60/Dataset_HealthHub | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/vlsienthusiast00x/Spodrue | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/IvannGonzzalez/hve-core | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Aditya923-c/xpoz-agent-skills | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Shavan889/minisforum-ms-s1-max-bios | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/DarkSliceYT/ai-infra-index | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Seragatia/DocGenie | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/whydixit/cursor-starter | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Tawhidhere/OneRec-Think | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/rushikeshjaware/DiffusionDriveV2 | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Abisheak250402/cloakbrowser-human | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Loune3213/Wazuh-Openclaw-Autopilot | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Ragulrajtcestd/LSTM-Optuna | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Tod-weenieroast366/coding-plan-mask | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/KemalFasa/discord-adapter-meme | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Bhin4787/AI-Powered-Ticket-Routing-SLA-Breach-Prediction-in-JIRA | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Jacksonsmg/SoftwareTesting-Cunit | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/linhkat3057/Valthrun | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/DIMANANDEZ/refrag | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/MichaelQDLe/CodeHive | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/VantageSolutions/ShadowTool | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Pataterustiche/tonconnect | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/cristiancctlv/recaptcha-botguard | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/marciunyielding712/openage | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Ali-Shady/claude-agent-desktop | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/2aryanZ/paper-submission-check | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Hosk9612/venutian-antfarm | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/MohamedSamiHdj/realtime-data-pipeline | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/alvfpinedo/go-prometheus-exporter | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/MrKillerq/Mini-o3 | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/vickykumar11062/Replication-package-for-gender-and-regional-differences-in-scientific-mobility-and-immobility | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/nonunion-loasa895/codapter | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/WILLIAM86-CAPTAIN/gooey-search-tabs | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/hama1981/ROBLOX-MACRO-V3.0.0 | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/syedabdullahuddin/n8n-workflow-sdk-mcp | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/wanderconnect01/ika-network-skill | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/okoid721/chloroDAG | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Valentin6595/WhatDreamsCost-ComfyUI | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/virginiadiom2000-ai/osv-ui | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/gage6903/son-of-claude | URL | Malicious GitHub repository | 2026-04-12 |
https://github.com/Milan-sisodia-27/idl-pu3 | URL | Malicious GitHub repository | 2026-04-12 |
