Fake GitHub Repos Used to Spread SmartLoader and Lumma Stealer in Ongoing Malware Campaign

A malware distribution campaign uncovered by Trend Micro is using fake GitHub repositories to deliver SmartLoader, which subsequently drops Lumma Stealer and other information-stealing malware. These repositories pose as useful system utilities, cracked software, or gaming cheats. “The campaign leverages GitHub’s trusted reputation to evade detection, using AI-generated content to make fake repositories appear legitimate,” warns Trend Micro. To enhance believability, threat actors employ generative AI to produce realistic README files and documentation, creating the illusion of credibility. However, clues to their malicious nature include the overuse of emojis, awkward or unnatural phrasing, a hyperlinked logo, and organized formatting patterns. Notably, these repositories typically contain only a README file, with actual payloads hidden in the releases section via hyperlinks—its simplicity, Trend Micro warns, is a potential sign of illegitimacy. Once downloaded, the SmartLoader malware initiates a chain leading to credential theft, targeting browser-stored passwords, cryptocurrency wallets, and other sensitive information.

The attack begins when users download a ZIP archive containing core files: a LuaJIT executable, a DLL, a batch file, and a text file with an obfuscated Lua script. While the executable and DLL are not inherently malicious, the batch file triggers the Lua loader with the script as an argument, launching the attack. This technique mirrors earlier campaigns, with Trend Micro referencing activity observed in October 2024 that also used obfuscated Lua scripts and scheduled tasks for persistence. The loader fetches Lumma Stealer—renamed "search.exe"—from GitHub and executes it alongside a concealed AutoIt script embedded in Excel files. These files are staged in the system’s temporary directory and manipulated using cmd to copy them into the directory and concatenate them into a single batch executable.

As execution continues, the malware conducts reconnaissance using findstr to identify installed security software such as Avast, Norton, Sophos, and other security components with "findstr." It also drops an additional AutoIt interpreter, misleadingly named “Research[.]com,” into the %TEMP% directory. The campaign includes launching Microsoft Edge with the "--remote-debugging-port=9222" flag, taking advantage of the feature for browser access. The Lumma Stealer payload then communicates with its command-and-control infrastructure, such as pasteflawwed[.]world, to exfiltrate the gathered data. The analysis from Trend Micro researchers warns, “These attacks highlight how AI-driven cyber threats and sophisticated malware like Lumma Stealer are lowering the barrier for hackers to compromise both personal and professional accounts.”

The adversaries’ abuse of GitHub file hosting, combined with generative AI content, increases success rates by making fake repositories appear authentic to unsuspecting users. The SmartLoader-to-Lumma Stealer chain allows attackers to modularly adapt their payloads, whether targeting credentials, system data, or cryptocurrency assets. The use of obfuscated scripts, misused interpreters, and command-line abuse adds layers of complexity that can hinder static detection and incident response. These methods also show how legitimate platforms are being exploited to bypass security controls and refine user deception.