Fake GitHub projects distribute stealers in GitVenom campaign
Essential information
- Published
- 24/02/2025 14:22
- Modified
- 24/02/2025 16:52
- Tags
- 2025-02-24 asyncrat clipboard-hijacker cryptocurrency fake-projects github gitvenom open-source quasar stealer
- Related entities
- 2 observables, 16 techniques (mitre), 2 malware, 2 others
Description
The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented in various programming languages, downloads and executes further malicious components from attacker-controlled repositories. These components include a Node.js stealer, AsyncRAT, Quasar backdoor, and a clipboard hijacker targeting cryptocurrency transactions. The campaign has been active for several years, with infection attempts observed worldwide, particularly in Russia, Brazil, and Turkey. The attackers' tactics highlight the importance of carefully examining third-party code before integration or execution.