A concerning cybersecurity threat has emerged with the discovery of AI-generated fake GitHub repositories designed to distribute malware, including the notorious SmartLoader and Lumma Stealer.
These malicious repositories, crafted to appear legitimate, exploit GitHub’s trusted reputation to deceive users into downloading ZIP files containing malicious code.
The campaign highlights the evolving tactics cybercriminals employ to bypass security measures, leveraging artificial intelligence to create convincing fake repository content.
The Trend Micro Threat Hunting team has identified an ongoing campaign using fake GitHub repositories to deploy SmartLoader, which serves as a stepping stone to deliver Lumma Stealer—an advanced information stealer distributed via the Malware-as-a-Service (MaaS) model.
The lure typically includes promises of “free” or unauthorized software functionalities, enticing users to download ZIP files such as “Release.zip” or “Software.zip.” Upon execution, these files initiate the SmartLoader payload, leading to further malware deployment.
The AI-generated content in these repositories includes suspicious elements such as excessive emoji usage, unnatural phrasing, and structured content designed to mimic legitimate documentation.
The primary goal is to trick users into downloading malicious ZIP files from the Releases section of the fake repositories.
The ZIP files contain four key components:
While the DLL and executable files themselves are not malicious, the Lua script within userdata.txt is responsible for compromising the victim’s system.
The script connects to a command-and-control (C&C) server to receive and execute tasks, such as collecting system information, evading security software, and downloading additional payloads.
Example Code Snippet
The batch file (Launcher.bat) typically contains a command line similar to the following, which executes the malicious Lua script:
luajit.exe userdata.txt
This execution chain allows the SmartLoader to further deploy Lumma Stealer and other malware payloads. For instance, Lumma Stealer can execute a command like this in the %TEMP% folder:
cmd /c copy /bc..\Entertaining.xls + ..\Divide.xls + ..\Providence.xls + ..\Shakespeare.xls + ..\Adolescent.xls + ..\Divided.xls + ..\Unnecessary.xls + ..\Karma.xls
This command concatenates multiple Excel files to create a single executable file that facilitates malicious activities.
The use of AI-driven tactics to create convincing fake repositories underscores the growing sophistication of cyber threats.
These attacks can result in the theft of sensitive information, including login credentials, financial data, and personal identifiable information (PII), leading to severe financial and personal consequences.
Moreover, the stolen data can be sold to other cybercriminals, amplifying the risks for victims.
To defend against such threats, cybersecurity experts recommend the following best practices:
As cybercriminals continue to adapt their strategies, a proactive and robust cybersecurity approach is essential to mitigate these evolving threats.
By implementing these measures, individuals and organizations can significantly reduce the risk of falling victim to AI-generated fake GitHub repositories and associated malware attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…