A “multi-faceted campaign” has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro.
“The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks,” Recorded Future’s Insikt Group said in a report.
The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate.
Attack chains entail the use of fake profiles and repositories on GitHub, hosting counterfeit versions of well-known software with the goal of sensitive data from compromised devices. The links to these malicious files are then embedded within several domains that are typically distributed via malvertising and SEO poisoning campaigns.
The adversary behind the operation, suspected to be Russian-speaking threat actors from the Commonwealth of Independent States (CIS), has also been observed using FileZilla servers for malware management and delivery.
Further analysis of the disk image files on GitHub and the associated infrastructure has determined that the attacks are tied to a larger campaign designed to deliver RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
The Rhadamanthys infection pathway is also notable for the fact that victims who land on the fake application websites are redirected to payloads hosted on Bitbucket and Dropbox, suggesting a broader abuse of legitimate services.
The development comes as the Microsoft Threat Intelligence team said that the macOS backdoor codenamed Activator remains a “very active threat” that’s distributed via disk image files impersonating cracked versions of legitimate software and in order to steal data from Exodus and Bitcoin-Qt wallet applications.
“It prompts the user to let it run with elevated privileges, turns off the macOS Gatekeeper, and disables the Notification Center,” the tech giant said. “It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence.”