Russian-speaking threat actors are abusing trusted internet cervices like GitHub to disseminate various types of credential-stealing malware, new findings from Recorded Future's Insikt Group show.

The campaign, dubbed ‘GitCaught,’ utilized GitHub profiles posing as legitimate software such as 1Password, Bartender 5, and Pixelmator Pro, deploying a variety of malware, including Atomic macOS Stealer (AMOS) and Vidar designed to breach users’ systems and pilfer sensitive data.

An analysis showed that the Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo malware variants shared a command-and-control (C2) infrastructure, indicating the involvement of a highly organized group with considerable resources, the researchers noted.

The threat actors leveraged free and web-based infrastructure, such as FileZilla servers, as a means for malware delivery. Insikt Group identified twelve domains impersonating legitimate macOS applications like CleanShot X, 1Password, and Bartender. All twelve domains redirected users to a GitHub profile attributed to a user named “papinyurii33” to download macOS installation media, leading to the AMOS infostealer infection. The latest version of AMOS can infect both Intel-based and ARM-based Macs.

The profile associated with “papinyurii33” on GitHub was created on January 16, 2024, with the last observed contribution dated March 7, 2024. Insikt Group observed that besides AMOS, the profile hosted other files under the “2132” repository, including a dropper for the Windows-based Lumma and Vidar stealers, as well as an Octo Android banking trojan.

Additionally, researchers observed the execution of various DocCloud files by the threat actor to deploy a range of infostealers on victim devices.

DocCloud.exe accessed a FileZilla FTP server at IP address 193.149.189[.]199 using hardcoded credentials. Upon establishing a connection, a child process of DocCloud.exe accessed and RC4 decrypted a .ENC file, combining the decrypted data with shellcode stored within a Python script. The resulting payload was then executed as an argument to pythonw.exe.

Insikt Group also identified four additional IP addresses likely associated with the threat actor’s network infrastructure, revealing C2 infrastructure for the Darkcomet RAT malware and an additional FileZilla FTP server responsible for deploying Darkcomet RAT.

Currently, it’s unclear what threat actor is behind this campaign. Insikt Group notes that some of the IoCs related to the GitCaught campaign were previously shared in the report by Ukraine’s CERT team on the activities of a threat actor tracked as UAC-0006. Additionally, some of the FTP servers associated with GitCaught were also observed in the past by Cyble, Cyfirma, and Malwarebytes.