Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Threat Actors Abuse GitHub to Distribute Multiple Information Stealers

Russian-speaking threat actors are caught abusing a GitHub profile to distribute information stealers posing as legitimate software.

Threat intelligence firm Recorded Future on Tuesday raised an alarm for a malicious campaign abusing a legitimate GitHub profile to distribute information stealing malware.

As part of the campaign, Russian-speaking threat actors operating out of the Commonwealth of Independent States (CIS) have been distributing Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo malware by impersonating legitimate applications such as 1Password, Bartender 5, and Pixelmator Pro.

The malware operations shared the same command-and-control (C&C) infrastructure, suggesting that a centralized setup was used in cross-platform attacks, likely to increase efficiency, Recorded Future notes in a new report (PDF).

Early 2024 industry reporting showed that AMOS was being distributed through deceptive websites, impersonating legitimate macOS applications, including an installation file for Slack, and via fraudulent Web3 gaming projects.

Using these reports as a starting point, Recorded Future identified 12 websites advertising legitimate macOS software but redirecting victims to a GitHub profile distributing AMOS instead. The profile was also seen distributing the Octo Android banking trojan and various Windows infostealers.

The GitHub profile, belonging to a user named ‘papinyurii33’, was created on January 16, 2024 and contained only two repositories. Recorded Future said its researchers observed multiple changes made to the files in these repositories in February and early March, but no new activity since March 7.

The investigation also revealed the use of a FileZilla file transfer protocol FTP server for malware management and for distributing the Lumma and Vidar information stealers.

In addition, Recorded Future said it discovered several IP addresses associated with the campaign, including four IPs associated with the C&C infrastructure for the DarkComet RAT and a FileZilla FTP server used for distributing it. Between August 2023 and February 2024, Raccoon Stealer was also distributed using these FTP servers.

Advertisement. Scroll to continue reading.

Corroborating the findings with reports from Cyfirma, CERT-UA, Cyble, and Malwarebytes, Recorded Future concluded that they refer to attacks orchestrated by the same threat actor as part of a large-scale campaign.

The cybersecurity firm advises organizations to use automated code scanning tools to perform code assessments for all code obtained from external repositories and to identify potential malware or suspicious patterns.

Related: 21 New Mac Malware Families Emerged in 2023

Related: Threat Actors Manipulate GitHub Search to Deliver Malware

Related: Ransomware Declines as InfoStealers and AI Threats Gain Ground

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights