Security researchers at Trend Micro and ReversingLabs have uncovered two fresh campaigns targeting red teams, novice cybercriminals, and developer environments via trojanized open source hacking tools.
Attributed by Trend Micro to a threat actor named Water Curse, one of the campaigns involved at least 76 GitHub accounts linked to repositories that had malicious payloads injected into build scripts and project files.
The payloads were designed to steal credentials, browser data, and session tokens, as well as to provide the threat actor with persistent remote access to the compromised systems.
According to Trend Micro, Water Curse is a financially motivated adversary that likely began using GitHub accounts for nefarious activities in March 2023.
“Water Curse primarily targets red teams and penetration testers, developers, and gamers, reflecting a hybrid strategy that blends supply chain compromise with opportunistic exploitation across digital communities,” the cybersecurity firm notes.
The threat actor hid the malicious payloads in the Visual Studio project configuration files of an SMTP email bomber and Sakura RAT. Tools employed throughout the campaign include C#, JavaScript, PowerShell, and VBS scripts, and compiled PE binaries.
ReversingLabs has uncovered a campaign involving more than 67 GitHub repositories promising Python-based hacking tools, but delivering trojanized look-alikes of other repositories.
As part of the campaign, attributed to a threat actor named Banana Squad, each GitHub account had only one repository listed under its name, suggesting that malware distribution was the sole purpose of every one of them.
The campaign began in early June, but ReversingLabs linked it to previous reports on similar malicious activity flagged by Checkmarx in 2023.
Both incidents mirror a campaign recently uncovered by Sophos, which appears linked to a distribution-as-a-service (DaaS) operation that has been ongoing since 2022, and which has used thousands of GitHub accounts to distribute malware embedded in open source tools.
Related: Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems
Related: Cyber Insights 2025: Open Source and Software Supply Chain Security
Related: Open Source Package Entry Points May Lead to Supply Chain Attacks
