An ongoing sophisticated threat campaign orchestrated by a malicious actor tracked as ‘Water Curse’, is abusing GitHub as a delivery mechanism for malicious software. The group, active since at least March 2023, has been using weaponized repositories to spread multistage malware capable of remote access, data theft, and persistent system compromise.
According to Trend Micro’s investigation, at least 76 GitHub accounts are linked to the campaign. The attackers embed malicious payloads within Visual Studio project configuration files, specifically in <PreBuildEvent> tags, that execute during the software build process. The payloads initiate complex infection chains using obfuscated Visual Basic Script (VBS) and PowerShell code.
Once executed, the malware downloads encrypted ZIP archives from GitHub’s codeload.github.com domain. The archives contain Electron-based applications that, when unpacked, enable system reconnaissance. The malware is designed to steal credentials, browser data, and session tokens, and it utilizes anti-debugging, privilege escalation, and persistence techniques such as scheduled tasks and registry manipulation to maintain long-term control.
Trend Micro uncovered several malicious tools masquerading as penetration testing utilities, including an SMTP email bomber and Sakura-RAT, which were laced with hidden backdoors. The malware's use of legitimate-looking developer tools suggests Water Curse is targeting red teamers, developers, and gamers, deploying a hybrid strategy that combines supply chain compromise with opportunistic attacks across various digital communities.
Water Curse employs a range of programming languages, including PowerShell, JavaScript, C#, VBScript, and compiled binaries, indicating access to a skilled and adaptable development team.
Trend Micro first attributed activity to Water Curse in May 2025, but retrospective analysis shows the group has been flying under radars for over two years. The group's primary motivation appears to be financial gain, with evidence pointing to goals such as credential theft, session hijacking, and illicit access resale.
One of the malicious GitHub repositories remains active and accessible at the time of reporting, while another has since been removed.
“Water Curse’s operations extend beyond cybersecurity. Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers. This reflects a multivertical targeting strategy that blends cybercrime with opportunistic monetization,” the researchers noted. “This diversification suggests that the actor is technically versatile, financially motivated, and possibly operating as part of a loosely organized or service-driven threat cluster. Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”
