Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Campaigns Distribute Malware via Open Source Hacking Tools

Trend Micro and ReversingLabs uncovered over 100 GitHub accounts distributing malware embedded in open source hacking tools.

Security researchers at Trend Micro and ReversingLabs have uncovered two fresh campaigns targeting red teams, novice cybercriminals, and developer environments via trojanized open source hacking tools.

Attributed by Trend Micro to a threat actor named Water Curse, one of the campaigns involved at least 76 GitHub accounts linked to repositories that had malicious payloads injected into build scripts and project files.

The payloads were designed to steal credentials, browser data, and session tokens, as well as to provide the threat actor with persistent remote access to the compromised systems.

According to Trend Micro, Water Curse is a financially motivated adversary that likely began using GitHub accounts for nefarious activities in March 2023.

“Water Curse primarily targets red teams and penetration testers, developers, and gamers, reflecting a hybrid strategy that blends supply chain compromise with opportunistic exploitation across digital communities,” the cybersecurity firm notes.

The threat actor hid the malicious payloads in the Visual Studio project configuration files of an SMTP email bomber and Sakura RAT. Tools employed throughout the campaign include C#, JavaScript, PowerShell, and VBS scripts, and compiled PE binaries.

ReversingLabs has uncovered a campaign involving more than 67 GitHub repositories promising Python-based hacking tools, but delivering trojanized look-alikes of other repositories.

As part of the campaign, attributed to a threat actor named Banana Squad, each GitHub account had only one repository listed under its name, suggesting that malware distribution was the sole purpose of every one of them.

Advertisement. Scroll to continue reading.

The campaign began in early June, but ReversingLabs linked it to previous reports on similar malicious activity flagged by Checkmarx in 2023.

Both incidents mirror a campaign recently uncovered by Sophos, which appears linked to a distribution-as-a-service (DaaS) operation that has been ongoing since 2022, and which has used thousands of GitHub accounts to distribute malware embedded in open source tools.

Related: Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems

Related: Cyber Insights 2025: Open Source and Software Supply Chain Security

Related: Open Source Package Entry Points May Lead to Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.