Thursday, February 6, 2025
HomeCyber AttackHackers Set Up Fake GitHub Repos to Deliver Malware Posing as Zero-day

Hackers Set Up Fake GitHub Repos to Deliver Malware Posing as Zero-day

Published on

SIEM as a Service

Follow Us on Google News

Recently, the cybersecurity researchers at VulnCheck identified a growing trend of hackers masquerading as cybersecurity researchers on social platforms like Twitter and GitHub. 

While hackers are doing so to spread fake proof-of-concept exploits for the vulnerabilities that are Zero-day in nature and capable of infecting both most used operating systems:-

  • Windows
  • Linux 

Alleged experts affiliated with a fraudulent cybersecurity company, ‘ High Sierra Cyber Security,’ are actively spreading these malicious exploits.

Hackers’ primary focus is on cybersecurity researchers and companies actively participating or involved in vulnerability research.

Promoting zero-day Flaws

The repositories appear legitimate, with the individuals responsible for them masquerading as actual security experts from renowned security companies like ‘Rapid7.’ 

Not only that, but they also utilize the pictures of these security professionals to further their deception, based on the report from VulnCheck.

To give their research and code repositories on platforms like GitHub a sense of legitimacy, the same personas also manage Twitter accounts.

Additionally, they exploit social media to lure unsuspecting victims into their traps.

Since May 2023, this malicious campaign has been ongoing and actively promoting zero-day vulnerabilities for the renowned and most used apps, which include:-

  • Chrome
  • Discord
  • Signal
  • WhatsApp
  • Microsoft Exchange

Across all instances, the malicious repositories contain a Python script named ‘poc.py,’ here this script serves as a means of downloading malware on the following systems:-

  • Linux 
  • Windows

The script connects with a distinct website to retrieve a ZIP file, subsequently downloading it onto the targeted computer. 

The choice of the appropriate file is contingent upon the operating system currently in place. As here, both Linux and Windows  users get the same file but with different names that we have mentioned below:-

  • Linux users: ‘cveslinux.zip’
  • Windows users: ‘cveswindows.zip’

Here below we have mentioned the storage directories or locations of the malware:-

  • Windows: %Temp%
  • Linux: /home/<username>/.local/share

The Windows binary inside the ZIP file (‘cves_windows.exe’) raises concerns among more than 60% of antivirus engines on VirusTotal, indicating its potential risk.

Unlike its Windows counterpart, the Linux binary (‘cves_linux’) shows a greater level of stealthiness, managing to evade detection from most of the scanners, as three antivirus scanners managed to detect it.

The exact nature of the installed malware remains uncertain, but both executables install a TOR client. Besides this, the Windows edition is recognized as a trojan with the ability to steal passwords.

Malicious Repositories, Fake GitHub & Twitter Accounts

Here below, we have mentioned the malicious repositories that should be avoided:-

  • https://github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
  • https://github.com/MHadzicHSCS/Chrome-0-day
  • https://github.com/GSandersonHSCS/discord-0-day-fix
  • https://github.com/BAdithyaHSCS/Exchange-0-Day
  • https://github.com/RShahHSCS/Discord-0-Day-Exploit
  • https://github.com/DLandonHSCS/Discord-RCE
  • https://github.com/SSankkarHSCS/Chromium-0-Day

Here below, we have mentioned all the fake Twitter accounts that should be avoided:-

  • https://twitter.com/AKuzmanHSCS
  • https://twitter.com/DLandonHSCS
  • https://twitter.com/GSandersonHSCS
  • https://twitter.com/MHadzicHSCS

Here below, we have mentioned all the fake GitHub accounts that should be avoided:-

  • https://github.com/AKuzmanHSCS
  • https://github.com/RShahHSCS
  • https://github.com/BAdithyaHSCS
  • https://github.com/DLandonHSCS
  • https://github.com/MHadzicHSCS
  • https://github.com/GSandersonHSCS
  • https://github.com/SSankkarHSCS

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...