A concerning cybersecurity threat has emerged with the discovery of AI-generated fake GitHub repositories designed to distribute malware, including the notorious SmartLoader and Lumma Stealer.
These malicious repositories, crafted to appear legitimate, exploit GitHub’s trusted reputation to deceive users into downloading ZIP files containing malicious code.
The campaign highlights the evolving tactics cybercriminals employ to bypass security measures, leveraging artificial intelligence to create convincing fake repository content.
The Trend Micro Threat Hunting team has identified an ongoing campaign using fake GitHub repositories to deploy SmartLoader, which serves as a stepping stone to deliver Lumma Stealer—an advanced information stealer distributed via the Malware-as-a-Service (MaaS) model.
The lure typically includes promises of “free” or unauthorized software functionalities, enticing users to download ZIP files such as “Release.zip” or “Software.zip.” Upon execution, these files initiate the SmartLoader payload, leading to further malware deployment.
The AI-generated content in these repositories includes suspicious elements such as excessive emoji usage, unnatural phrasing, and structured content designed to mimic legitimate documentation.
The primary goal is to trick users into downloading malicious ZIP files from the Releases section of the fake repositories.
The ZIP files contain four key components:
While the DLL and executable files themselves are not malicious, the Lua script within userdata.txt is responsible for compromising the victim’s system.
The script connects to a command-and-control (C&C) server to receive and execute tasks, such as collecting system information, evading security software, and downloading additional payloads.
Example Code Snippet
The batch file (Launcher.bat) typically contains a command line similar to the following, which executes the malicious Lua script:
luajit.exe userdata.txt
This execution chain allows the SmartLoader to further deploy Lumma Stealer and other malware payloads. For instance, Lumma Stealer can execute a command like this in the %TEMP% folder:
cmd /c copy /bc..\Entertaining.xls + ..\Divide.xls + ..\Providence.xls + ..\Shakespeare.xls + ..\Adolescent.xls + ..\Divided.xls + ..\Unnecessary.xls + ..\Karma.xls
This command concatenates multiple Excel files to create a single executable file that facilitates malicious activities.
The use of AI-driven tactics to create convincing fake repositories underscores the growing sophistication of cyber threats.
These attacks can result in the theft of sensitive information, including login credentials, financial data, and personal identifiable information (PII), leading to severe financial and personal consequences.
Moreover, the stolen data can be sold to other cybercriminals, amplifying the risks for victims.
To defend against such threats, cybersecurity experts recommend the following best practices:
As cybercriminals continue to adapt their strategies, a proactive and robust cybersecurity approach is essential to mitigate these evolving threats.
By implementing these measures, individuals and organizations can significantly reduce the risk of falling victim to AI-generated fake GitHub repositories and associated malware attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…
The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…
SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…
F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…
The healthcare sector has emerged as a prime target for cyber attackers, driven by the…
Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…