A sophisticated malware distribution campaign has been identified, leveraging 109 fake GitHub repositories to deploy the SmartLoader and StealC malware. This operation highlights a growing trend of threat actors exploiting trusted developer platforms to distribute malicious software to unsuspecting users.
The campaign, active for at least seven weeks and still evolving as of April 12, 2026, involved copying legitimate open-source projects from GitHub, republishing them under different accounts, and replacing original documentation with malicious download links. Researchers from Hexastrike uncovered the operation, noting the careful construction of these fake repositories to mimic real projects, making them difficult to distinguish.
How Fake GitHub Repositories Deliver SmartLoader and StealC Malware
The threat actor behind this campaign meticulously cloned existing GitHub projects, reposting them with altered account names. Crucially, they replaced the original README files with download buttons that pointed to malicious ZIP archives. These archives were strategically placed deep within the repository’s folder structure, designed to appear as legitimate release packages. The core source code of the cloned projects was largely left untouched, adding a layer of believability to the fraudulent repositories.
This deceptive strategy aimed to ensnare users who might be attracted by a project’s name or who performed only a cursory review of the code. The attackers also enhanced the visibility of these fake repositories by adding unrelated search engine optimization (SEO) terms to their descriptions. This tactic was intended to broaden their reach and attract a wider pool of potential victims.
Hexastrike analysts identified a total of 109 malicious repositories, distributed across 103 separate GitHub accounts. The ongoing nature of the campaign, with new repositories appearing even during the analysis, suggests a persistent and dynamic threat. The researchers observed a pattern of repositories being updated in batches, with download links rotating to new ZIP files. This indicates a centralized control mechanism and suggests that the campaign is at least partially automated, likely orchestrated by a single threat actor or a closely coordinated group.
The consistent archive layout, README structure, staging patterns, and the specific malware families deployed across all identified repositories strongly supported the assessment of a unified operation. The impact of this campaign extends beyond individual users. GitHub’s strong reputation as a trusted platform for developers, students, and cybersecurity professionals lends a degree of inherent credibility to any content hosted there. The presence of these fake repositories alongside legitimate ones within search results can easily mislead users.
How SmartLoader Works After Download
Upon downloading and extracting the malicious ZIP file, a single-line batch script initiates the execution. This script launches a LuaJIT interpreter, which then runs a highly obfuscated Lua script known as SmartLoader. From the victim’s perspective, the malware operates covertly, utilizing Windows API calls to immediately hide its console window after execution, thus leaving no visible trace of its activity.
SmartLoader incorporates an anti-debugging mechanism. It employs native shellcode, copied into executable memory, to detect and thwart analysis by security researchers. This technique is designed to make reverse engineering and behavioral analysis significantly more challenging.
To locate its command-and-control (C2) server without hardcoding its address, SmartLoader queries a specific blockchain smart contract on the Polygon network. It uses a JSON-RPC call to polygon.drpc.org to retrieve the live server IP address from an on-chain value. This method, referred to as a blockchain dead drop resolver, grants the operator the flexibility to change their infrastructure by updating a single entry on the blockchain, rather than needing to rebuild the malware or modify numerous staged samples.
Once the active C2 server is identified, SmartLoader sends a multipart POST request to a bare-IP address associated with the server. This request includes host fingerprinting details and captured screenshots. The server, in turn, responds with encrypted instructions and tasks for the malware. For persistence, SmartLoader establishes two daily scheduled tasks, often named to blend in with legitimate system processes, such as “AudioManager_ODM3” or “OfficeClickToRunTask_7d7757.”
One of these scheduled tasks executes a locally cached copy of the Lua stage. The other task is configured to re-download a fresh, encrypted stage directly from a separate GitHub repository controlled by the attacker. This dual-path persistence strategy ensures that the malware remains active and resilient, even if one of the recovery routes is compromised or cleaned by security measures. The same staging repository used for persistence also hosts an encrypted StealC payload. SmartLoader is capable of decrypting and loading this payload directly into memory, without writing it to the disk, further minimizing its forensic footprint.
The ongoing threat posed by this campaign necessitates vigilance from both security professionals and end-users. The sophisticated social engineering tactics, combined with the use of trusted platforms like GitHub and advanced stealth techniques, underscore the evolving nature of cyber threats. It is important for the cybersecurity community to monitor for similar tactics and for users to exercise extreme caution when downloading software or code from any source, particularly from developer repositories.