The attack targets explicitly users searching for game cheats, software cracks, and automation tools, exploiting their trust in the popular code-sharing platform to deliver dangerous payloads, including the Rhadamanthys information stealer.
The threat actors have created meticulously crafted GitHub repositories that appear entirely legitimate, complete with professional README files, project overviews, and detailed installation instructions.
These repositories rank highly in Google search results for terms like “game hacks” and “software crack,” making them easily discoverable by potential victims.
The malicious repositories cover popular gaming topics, including Maple Story cheats, Minecraft clients, Call of Duty hacks, and various software cracks for applications like VSDC Video Editor Pro.
Each repository contains a compressed file that houses four components: a legitimate Lua loader (java.exe/luajit.exe), a malicious batch file (Launcher.cmd), the Luajit runtime interpreter (lua51.dll), and an obfuscated Lua script (module.class).
When users execute the Launcher.cmd file following the provided instructions, the system loads the malicious Lua script through the legitimate Lua loader, effectively launching SmartLoader while appearing to run trusted software.
Once activated, SmartLoader establishes persistence by copying its components to “%AppData%ODE3” and registering itself in Windows Task Scheduler as “SecurityHealthService_ODE3.”
The malware immediately captures screenshots and system information, transmitting this data to its command and control server at 89.169.13[.]215 using Base64 encoding and byte operations for encryption.
The C2 server responds with JSON-formatted commands containing two critical elements: loader configuration settings and a tasks array specifying additional payloads to download.
During analysis, researchers identified three secondary payloads: an additional Lua script (adobe.lua) that mirrors SmartLoader’s functionality, and both 64-bit and 32-bit versions of Rhadamanthys stealer shellcode.
Rhadamanthys represents a significant threat, capable of injecting itself into legitimate Windows processes, including openwith.exe, dialer.exe, dllhost.exe, and rundll32.exe.
Once embedded, it systematically exfiltrates sensitive information related to email accounts, FTP credentials, and online banking services.
The campaign demonstrates advanced evasion techniques, with all communications encrypted and malicious code obfuscated within seemingly innocent Lua scripts. The use of GitHub’s infrastructure provides additional legitimacy, as many users inherently trust repositories hosted on the platform.
Security experts recommend downloading software exclusively from official sources and carefully vetting repository credentials, commit histories, and author reputations before executing any downloaded code, regardless of professional presentation quality.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post GitHub-Hosted SmartLoader – Masquerading as Legitimate Projects to Infect Users appeared first on Cyber Security News.
BROWNWOOD, Texas (KTAB/KRBC) - Families in Brownwood spent part of their spring break getting an…
I ran an experiment this week that I did not expect to be instructive, and…
Today's links Corrupt anticorruption: Notes from a target-rich environment. Hey look at this: Delights to…
Robotics How Pokémon Go Is Giving Delivery Robots an Inch-Perfect View of the WorldWill Douglas…
Digital communication is well beyond picture and prose. Nowadays viewers demand more interactive and human-like…
AI video generators are revolutionizing the film industry in 2026 by drastically reducing VFX budgets,…
This website uses cookies.