Cybersecurity researchers have uncovered a previously unknown threat actor dubbed Water Curse, which utilizes weaponized GitHub repositories to execute multi-stage malware campaigns. According to an analysis published by Trend Micro, the malware from Water Curse can facilitate data exfiltration—including sensitive credentials, browser data, and session tokens—while enabling remote access and long-term persistence on compromised systems. Researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta outline the sophisticated nature of this campaign.
This multi-faceted attack made its first appearance last month, utilizing GitHub repositories that appeared to offer innocuous penetration testing tools. However, hidden within the Visual Studio project configuration files were malicious payloads that included tools such as SMTP email bomber and Sakura-RAT. The campaign highlights a troubling trend where legitimate platforms are exploited as conduits for distributing malware, increasing the risk to the software supply chain.
Water Curse has developed a unique arsenal that merges various tools and programming languages, indicating a high level of cross-functional capabilities. The malware initiates complex infection chains through obfuscated scripts in Visual Basic Script (VBS) and PowerShell, which download encrypted archives and extract Electron-based applications. This method allows the attackers to perform extensive reconnaissance of the infected systems.
Researchers have linked as many as 76 GitHub accounts to the Water Curse campaign, which targets supply chains with a focus on credential theft, session hijacking, and the resale of unauthorized access. The emergence of this group mirrors a broader scope of threat actors who abuse the inherent trust of legitimate platforms, prompting increased scrutiny and countermeasures from cybersecurity experts.
For further details and insights, refer to the original analysis by Trend Micro here.