109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware

A large-scale malware distribution campaign has been uncovered involving 109 fake GitHub repositories that were used to trick users into downloading two dangerous malware tools named SmartLoader and StealC.

The campaign was carefully built around cloned versions of legitimate open-source projects, making it hard for everyday users to spot the difference between what was real and what was fake.

The threat actor behind this campaign copied real GitHub projects, republished them under different accounts, and replaced the original documentation with download buttons pointing to malicious ZIP files.

These ZIP files were hidden deep inside the repository folder structures, designed to look like ordinary release packages. The source code of the cloned projects was mostly left intact, which made the fake repositories appear credible at first glance.

A user who trusted a project name or quickly scanned the code could easily be directed toward a harmful download without ever knowing it.

Hexastrike analysts identified 109 malicious repositories spread across 103 separate GitHub accounts, with the campaign showing signs of being active for at least seven weeks before their review, with new repositories still appearing as of April 12, 2026.

Researchers noted that the repositories were updated in batches when download links rotated to new ZIP files, a pattern pointing toward centralized control and at least partial automation by a single threat actor or tightly controlled cluster.

The consistent archive layout, README structure, staging pattern, and malware family across all repositories confirmed this assessment.

The impact of this campaign reaches beyond just individual users. Because GitHub is widely trusted as a platform by developers, students, and security professionals, fake repositories sitting beside real ones in search results carry natural credibility.

The threat actor even added unrelated SEO terms to repository descriptions to boost visibility and attract more victims.

Collected data from infected machines was quietly sent to command-and-control servers, and the malware also carried a follow-on information stealer named StealC, designed to harvest sensitive data from compromised systems.

How SmartLoader Works After Download

Once a victim downloads and extracts the ZIP file, a single-line batch script launches a LuaJIT interpreter, which runs a heavily obfuscated Lua script known as SmartLoader.

From the victim’s perspective, nothing visible happens on screen because the malware uses Windows API calls to hide its console window immediately after execution.

SmartLoader then performs an anti-debug check using native shellcode copied into executable memory, a technique designed to stop security researchers from analyzing its behavior.

To locate its active command-and-control server without hardcoding an address, SmartLoader queries a Polygon blockchain smart contract using a JSON-RPC call to polygon.drpc.org, retrieving the live server IP from an on-chain value.

This method, known as a blockchain dead drop resolver, allows the operator to swap infrastructure by updating a single on-chain entry rather than rebuilding the malware or changing every staged sample.

After resolving the active server, SmartLoader sends a multipart POST request containing host fingerprinting details and screenshots to a bare-IP command-and-control server.

The server responds with encrypted instructions and tasks. Persistence is then established through two daily scheduled tasks, with names such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757” to blend in with legitimate system activity.

One task runs a locally cached copy of the Lua stage, while the other re-downloads a fresh encrypted stage directly from a separate attacker-controlled GitHub repository.

This dual-path persistence ensures the malware survives even if one recovery route is blocked or cleaned. The same staging repository also hosted an encrypted StealC payload that SmartLoader was capable of decrypting and loading directly in memory without writing it to disk.

Security teams and individual users should take the following protective steps based on findings from this campaign:

• Always verify the original source of a GitHub project before downloading any archive or installer, preferring official releases over ZIP files buried inside repository folders.
• Monitor outbound connections to blockchain RPC endpoints such as polygon.drpc.org, especially from non-browser processes, as this is a strong early indicator of dead drop resolver behavior.
• Watch for batch-launched unsigned executables that reference script files with .txt or .log extensions running from user-writable paths like Downloads or %TEMP%.
• Flag multipart POST requests directed at bare IP addresses, particularly those with URI paths starting with /api/ or /task/, as these align directly with SmartLoader’s exfiltration pattern.
• Enforce application controls that block unsigned interpreters and script launchers from executing outside standard installation directories.
• Alert on scheduled task creation where the action points to an executable stored under %LOCALAPPDATA%, especially when command-line arguments include raw.githubusercontent.com.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post 109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware appeared first on Cyber Security News.