Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

SUMMARY :

A massive distribution of SmartLoader malware has been discovered through GitHub repositories masquerading as legitimate projects. These repositories focus on topics like game cheats, software cracks, and automation tools to attract users. The malware is distributed via compressed files containing a legitimate Lua loader executable, a malicious batch file, and an obfuscated Lua script. Once executed, SmartLoader establishes persistence, sends system information to a C2 server, and downloads additional payloads. The malware has been observed downloading InfoStealer malware such as Rhadamanthys, Redline, and Lumma Stealer. Users are advised to download software only from official sources and to carefully verify the credibility of GitHub repositories before use.

OPENCTI LABELS :

redline,c2,infostealer,obfuscation,rhadamanthys,lumma stealer,github,persistence,smartloader,game-cheats,software-cracks,luascript


AI COMMENTARY :

1. In recent weeks security researchers uncovered an alarming campaign centered around SmartLoader malware distributed via GitHub repositories that masquerade as legitimate projects. The unsuspecting user searching for game cheats or software cracks encounters a repository that appears to host harmless automation tools or Lua scripts. Once the compressed archive is downloaded, it reveals a genuine Lua loader executable alongside an obfuscated Lua script and a malicious batch file. The innocuous facade of legitimate code draws users in, allowing threat actors to leverage GitHub’s trust to spread their infostealer payloads.

2. The distribution strategy behind this campaign relies on enticing keywords and repository names tied to popular categories such as game-cheats and software-cracks. Attackers employ obfuscation techniques in the embedded Lua script to conceal the SmartLoader’s real functionality while using a batch file to sideload the malware binary. When victims launch the loader, persistence mechanisms are installed silently on the system, enabling SmartLoader to survive system restarts and maintain a foothold. This approach underscores how open-source collaboration platforms can be manipulated to serve as unwitting malware hosts.

3. Once active on the victim’s machine, SmartLoader immediately collects system information before contacting a remote command and control (C2) server. This communication channel is used to download additional payloads. Observed secondary payloads include well-known info-stealer variants such as RedLine, Rhadamanthys, and Lumma Stealer. These stealers harvest sensitive credentials, browser data, cryptocurrency wallets, and other valuable information, relaying the stolen data back to threat actors via the same C2 infrastructure. The multi-stage infection chain highlights the modular nature of these threats and the critical role of C2 in orchestrating data exfiltration.

4. The impact of the SmartLoader campaign is significant, affecting individual users and small organizations that rely on community-sourced tools. Victims often remain unaware of infection until signs of credential theft or unusual network traffic emerge. The coupling of a credible LuaScript loader with malicious payloads reflects a growing trend in which attackers blend legitimate open-source components with harmful code. This hybrid method increases success rates while complicating detection efforts by security solutions that may flag only parts of the toolchain.

5. To defend against this threat, users should adhere strictly to downloading software and scripts from official sources or verified publishers. Verifying repository credibility on GitHub involves checking contributor history, star counts, recent activity, and issue discussions for anomalies. Enabling endpoint protection that can detect obfuscation patterns and network behavior indicative of C2 communication is also essential. Regularly updating software, applying strong authentication measures, and conducting periodic credential audits reduce the fallout in the event of a SmartLoader or info-stealer breach.

6. The SmartLoader malware campaign serves as a stark reminder that even trusted platforms can be co-opted for malicious purposes. By exploiting user trust in open-source code and popular software categories, attackers have constructed a potent attack chain that delivers high-value infostealer payloads. Remaining vigilant, practicing sound repository hygiene, and employing robust security controls are paramount to preventing this sophisticated threat from compromising sensitive data and systems.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project