Trend Micro’s Managed XDR team recently uncovered a malware campaign using GitHub’s release infrastructure to spread Lumma Stealer, SectopRAT, Vidar, and Cobeacon malware. This highlights how attackers are using trusted platforms to deliver harmful payloads.
The attack starts when users download files from temporary secure URLs on GitHub. These files, including Pictore.exe and App_aeIGCY3g.exe, are Lumma Stealer variants that steal sensitive data like credentials, cryptocurrency wallets, and system details, while also connecting to command-and-control servers.
The malicious files, signed with revoked certificates, use GitHub repositories for distribution and rely on PowerShell scripts and shell commands to stay hidden and persist.
Further analysis shows the campaign shares tactics with the Stargazer Goblin group, a known threat actor that uses compromised websites and GitHub for payload delivery.
The consistent URL patterns and redirection to GitHub-hosted malware suggest careful planning.
“The infection chain is complex and uses modular deployment. The initial Lumma Stealer files drop and run additional malware, including:
- SectopRAT: Provides remote access and steals data, including browser info, while maintaining persistence through startup entries and scheduled tasks.
- Vidar: Steals browser data and cloud storage files, connecting to external C&C servers to exfiltrate data.
- Lumma Stealer Variant: Uses obfuscated PowerShell scripts to contact malicious domains, download payloads, and steal sensitive details.
The attackers used advanced evasion techniques, like Electron-based frameworks and custom settings, to avoid detection.
Connections to IPs like 192[.]142[.]10[.]246 and domains like lumdukekiy[.]shop enabled external communication.
Recon commands and code flags gathered system info stealthily.
This campaign shows attackers using GitHub to bypass defenses and deploy multiple malware families, including Lumma Stealer, for modular attacks.
Trend Micro’s Managed XDR platform uncovered the campaign, highlighting the need for strong threat intelligence and proactive monitoring.
IOCs
| SHA256 | Originating URL(s) | GitHub release asset |
|---|---|---|
| de6fcdf58b22a51d26eacb0e2c992d 9a894c1894b3c8d70 f4db80044dacb7430 | hxxps://eaholloway[.]com /updatepage333 | hxxps://github[.]com /viewfilenow/Downloadnew/| releases/download/3214214/Pictore.exe |
| afdc1a1e1e934f18be28465315704a12 b2cd43c186fbee94 f7464392849a5ad0 | hxxps://afterpm[.]com /pricedpage/ | hxxps://github[.]com/down4up/ 44/releases/download/ 33/App_aeIGCY3g.exe |
| hxxps://enricoborino[.]com /propage66 | ||
| b87ff3da811a598c284997222e0b5a 9b60b7f79206f8d795 781db7b2abd41439 | hxxp://sacpools[.]com /pratespage | hxxps://github[.]com/zabdownload/ v14981950815/releases/download/ 23113123/Squarel_JhZjXa.exe |
| cd207b81505f13d46d94b08fb5130dd ae52bd1748856e6b474 688e590933a718 | hxxps://startherehosting.net /todaypage | hxxps://github[.]com/g1lsetup/iln7 /releases/download/ 423425325/NanoPhanoTool.exe |
| hxxps://kassalias[.]com /pageagain/ | ||
| hxxps://pmpdm[.]com /webcheck357 | ||
| 823d37f852a655088bb4a81d2f3a8 bfd18ea4f31e7117e5713 aeb9e0443ccd99 | hxxps://ageless-skincare[.]com/gn/ | hxxp://github[.]com/yesfound/worked /releases/download/ 1/QilawatProtone.exe |
| 380920dfcdec5d7704ad1af1ce35fe ba7c3af1b68ffa4 588b734647f28eeabb7 | hxxps://compass-point-yachts[.]com /nicepage77/pro77.php | hxxps://github[.]com/down7/Settingup /releases/download/ set/NativeApp_G5L1NHZZ.exe |
| d8ae7fbb8db3b027a832be6f1acc4 4c7f5aebfdcb306c d297f7c30f1594d9c45 | hxxps://pmpdm[.]com /webcheck/ | hxxps://github[.]com/JF6DEU/vrc121 /releases/download/ 2025/X-essentiApp.ex_ |
| hxxps://github[.]com/g1lsetup/v2025 /releases/download/ ex/X-essentiApp.exe | ||
| 15b195152a07bb22fec82aa5c90c7 ff44a10c0303446ce 11f683094311a8916b | hxxps://comicshopjocks[.]com /nicepage/pro.php | hxxps://github[.]com/dowwnloader /FileSetup /releases/download/ 124124125/NativeApp_azgEO1k4.exe |
| 800c5cd5ec75d552f00d0aca42bda de317f12aa797103b93 57d44962e8bcd37a | hxxps://lakeplacidluxuryhomes[.]com /updatepage/ | hxxps://github[.]com/magupdate /Freshversion10/releases/download/ 12315151/NativeApp_01C02RhQ.exe |
| hxxps://lakeplacidluxuryhomes[.]com /webpage37/ | ||
| hxxps://lakeplacidluxuryhomes[.]com /pagenow/ | ||
| 5550ea265b105b843f6b094979bfa 0d04e1ee2d1607b2e0 d210cd0dea8aab942 | hxxps://primetimeessentials[.]com /newpagyes/ | hxxps://github[.]com/kopersparan /Downloadable /releases/download/ 314/Paranoide.exe |
| 3e8ef8ab691f2d5b820aa7ac80504 4e5c945d8adcfc51ee7 9d875e169f925455 | hxxps://razorskigrips[.]com /newnewpage/ | hxxps://github[.]com/mp3andmovies /installer /releases/download/ versoin4124/AevellaAi.2.exe |
Leave A Comment