Attackers are using fake GitHub homebrew projects, such as EQVita, to trick PlayStation Vita fans into running Windows malware disguised as a harmless plugin or audio tool. The campaign uses a hidden script and loader behavior to contact attacker infrastructure and can lead to information-stealing payloads like SmartLoader and Lumma Stealer. #EQVita #PlayStationVita #SmartLoader #LummaStealer
Keypoints
- Attackers are disguising Windows malware as retro console homebrew projects on GitHub.
- The fake project EQVita targets PlayStation Vita users and pretends to be a free audio tool or plugin.
- The download contains three Windows files, including a disguised script named x64.txt that is executed by luaJIT.
- The malicious script checks the victim’s location, contacts an attacker-controlled server, and can fetch additional malware.
- Researchers say the same tactic has been used in fake repositories to distribute SmartLoader and then Lumma Stealer.
- The campaign abuses trust in GitHub and the modding/homebrew culture where users commonly run downloaded code.
- Users are advised to verify sources, inspect file types carefully, and scan systems if they already ran the archive.
MITRE Techniques
- [T1036 ] Masquerading – The fake repository and payloads are made to look legitimate homebrew software and harmless text files (‘the file you download doesn’t contain anything for a Vita at all’; ‘x64.txt … isn’t text at all—it’s a hidden script’).
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Not mentioned.
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Not mentioned.
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The batch file launches the hidden script through a .bat file (‘Launch.bat’; ‘The batch file simply tells it to open x64.txt’).
- [T1059.006 ] Command and Scripting Interpreter: Python – Not mentioned.
- [T1059.008 ] Command and Scripting Interpreter: Network Device CLI – Not mentioned.
- [T1071.001 ] Application Layer Protocol: Web Protocols – The script contacts attacker infrastructure over the web (‘quietly contacted a server on the internet’).
- [T1016 ] System Network Configuration Discovery – The script checks the victim’s location (‘First, the script checked where in the world the computer was’).
- [T1105 ] Ingress Tool Transfer – The server can send back the next stage of malware (‘the server answered back’; ‘receive instructions and fetch its next piece of malware’).
- [T1204.002 ] User Execution: Malicious File – The attack depends on the user running the downloaded archive/script (‘once you run it’; ‘if you’ve already run it’).
- [T1566 ] Phishing – The fake repository lures users into trusting and downloading malicious content (‘fake GitHub repositories … to spread’); although not classic email phishing, it uses deceptive delivery.
Indicators of Compromise
- [URL ] Malicious GitHub repository and related project page – https://github.com/Voistace/EQVita, https://voistace.github.io
- [IP address ] Attacker command-and-control server contacted by the script – 85.137.52.21, and one other server reference via the scrambled web address
- [Archive/file name ] Malicious download package and its contents – EQ_Vita_v1.3.zip, Launch.bat
- [File name ] Executed runtime and disguised script – luajit.exe, x64.txt