GitHub Bug Used to Infect Game Hackers With Lua Malware

Malicious operators cloned an open-source aim-bot repository and used SEO-poisoned pages plus a GitHub attachment bug to host and serve a LuaJIT-based malware payload from what appears to be a legitimate repository. Analysts decompiled and instrumented the LuaJIT runtime (including hooking the string garbage collector) to recover decrypted strings and C2/persistence artifacts. #AIMMY #Babyhamsta #LuaJIT

Keypoints

Attackers created a cloned repository and a high-ranking malicious site (aimmy[.]app) that pointed victims to a download URL appearing to be hosted on the legitimate Babyhamsta/Aimmy GitHub repository.
A GitHub behavior/bug allows files dragged into a new-issue description to be stored under the target repository (with persistent direct links) even if the issue is never submitted.
The cloned repository was uploaded (not forked), thousands of empty commits were scripted to appear as active development, and the README was altered to point to the malicious download link.
The malware bundle is a ZIP containing Aimmy.bat, a LuaJIT interpreter (AimmyLauncher.exe), lua51.dll, and a compiled LuaJIT “data” blob (magic bytes 1B 4C 4A) with specific file hashes identified.
Decompiled Lua showed heavy obfuscation consistent with the open-source Prometheus Lua obfuscator (string encryption + VM-based protection).
Analysts instrumented the Lua environment (passing a preloaded script with -e) and ultimately modified/compiled a custom LuaJIT to hook lj_str_free to dump decrypted strings and OS interactions for analysis.
Dumping string frees produced noisy output but recovered full structs, function definitions, and strings related to C2 and persistence, enabling further analysis.

MITRE Techniques

[T1598] Search Engine Optimization – The malicious website outranked the legitimate site through SEO poisoning: ‘The malicious website has a high Google rank (likely due to SEO poisoning) and is ranked above the legitimate aim bot website.’
[T1204.002] User Execution: Malicious Link – Victims were enticed to download a ZIP via a modified README download link that pointed to the malware: ‘modified download link which links to malware hosted at https[:]//github[.]com/Babyhamsta/Aimmy/files/14475029/Aimmy.zip’
[T1190] Exploit Public-Facing Application – Attackers abused GitHub issue attachments to host files under arbitrary repositories: ‘When opening an issue on a repository any file uploaded to the issue is stored under the GitHub repository where the issue when opened.’
[T1195] Supply Chain Compromise – The repository cloning and README modification were used to distribute a trojanized build appearing to come from a trusted open-source project: ‘The operator then makes thousands of empty commits… The final commit… changing the project download links to the malware URL.’
[T1027] Obfuscated Files or Information – The Lua payload was heavily obfuscated using an open-source obfuscator (Prometheus) employing encrypted strings and a VM: ‘The obfuscation was matched to an open source Lua obfuscator called Prometheus.’
[T1105] Ingress Tool Transfer – Malware artifacts were hosted on GitHub and served to victims as a ZIP archive: ‘This download link is for a ZIP file that is hosted on the original benign GitHub repository.’

Indicators of Compromise

[Domain] Malicious / deceptive sites – aimmy[.]app (malicious landing site), aimmy[.]dev (legitimate project site)
[GitHub repo] Target and clone – github[.]com/Babyhamsta/Aimmy (original repo), github[.]com/nehuenbohm/Aimmy (cloned repository)
[Download URL] Hosted payload link – https[:]//github[.]com/Babyhamsta/Aimmy/files/14475029/Aimmy.zip (malicious ZIP served from original repo)
[File hashes] Samples in ZIP – c912762952152c40646a61d7cc80a74f61ddd7aad292a1812f66e76b405f9660 (Aimmy.bat), 1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a (AimmyLauncher.exe), and 3 more hashes
[File names] Payload components – Aimmy.bat (batch launcher), AimmyLauncher.exe (LuaJIT interpreter), data (compiled LuaJIT bytecode with magic bytes 1B 4C 4A)

Analysts observed a multi-stage delivery: attackers created a high-ranking malicious site that linked to a cloned GitHub repository and a README-modified download URL that served a ZIP from the original Babyhamsta/Aimmy repository. The GitHub issue-attachment behavior allowed attackers to upload arbitrary files into another repository’s storage (generating persistent direct links even when the issue was not submitted), enabling the payload to be hosted under a legitimate repo URL. The cloning process involved uploading the repo (not forking), scripting thousands of empty commits to appear legitimate, and making a final verified README change to point to the malware ZIP.

The malware ZIP contains Aimmy.bat (launcher), AimmyLauncher.exe (LuaJIT interpreter), lua51.dll, README.txt, and a compiled LuaJIT “data” blob (magic bytes 1B 4C 4A). Decompilation with a LuaJIT decompiler revealed heavy obfuscation consistent with the Prometheus obfuscator (encrypted strings + VM). Initial dynamic tracing attempted to preload a tracing script via the interpreter’s -e option (using debug.sethook to log function calls and locals), but anti-tamper VM features limited visibility.

To recover decrypted strings and C2/persistence artifacts, researchers compiled a custom LuaJIT with hooks added to the string-free routine (lj_str_free) and to OS functions in lib_os.c, logging strings and os.execute arguments before they were freed/executed. Dumping during garbage collection produced noisy output but allowed recovery of full structs, function definitions, and decrypted strings used by the malware; combining this approach with standard API tracing was recommended to produce a more complete behavioral picture.