Netskope Threat Labs discovered a coordinated malware campaign—tracked as TroyDen’s Lure Factory—using trojanized GitHub repositories (300+ delivery packages) that deliver a two‑component LuaJIT loader and encrypted script designed to evade automated analysis and exfiltrate full desktop screenshots and likely credentials. The same toolchain and identical binaries appear across lures targeting developers, gamers, phone‑tracker users, and more, with C2 infrastructure in Frankfurt and delivery patterns consistent with AI‑assisted lure generation. #TroyDen #OpenClaw
Keypoints
- Over 300 delivery packages across multiple GitHub repositories use a trojanized distribution that impersonates legitimate projects (notably an OpenClaw Docker deployer) to deliver malicious payloads.
- The malware uses a deliberate two‑component design: a renamed LuaJIT runtime (e.g., unc.exe) plus an encrypted/obfuscated Lua script (license.txt) that appear benign when analyzed separately, defeating standard file/single‑artifact sandboxing.
- The payload performs five anti‑analysis checks (debugger presence, low RAM, short uptime, SeDebugPrivilege enumeration, computer name) and then calls Sleep(922,337,203,695,477 ms) to evade timed sandboxes before continuing execution under instrumentation.
- On execution the payload disables WinINet proxy auto‑detection to bypass inspection, performs geolocation to ip‑api.com, captures a full desktop BMP screenshot, and uploads it via multipart/form POST to a Frankfurt IP; the C2 responds with encrypted task and loader blobs saved to Documents.
- Static and dynamic analysis shows the same Prometheus‑obfuscated LuaJIT toolchain and identical inner payloads across gaming cheats, developer tools, phone‑tracker lures, Roblox scripts, crypto bots, and VPN crackers—indicating a single, scalable “lure factory” likely using AI to generate lure names and directories.
- Netskope ATP detected the threat via behavioral heuristics, the operator infrastructure (multiple Frankfurt IPs and identical C2 responses) was reported to GitHub, and published IOCs (hashes, IPs, repos, TLSH, Telegram) are available for deployment in EDR/network tooling.
MITRE Techniques
- [N/A ] No explicit MITRE ATT&CK technique identifiers or technique names are named in the article – ‘The payload begins with five anti-analysis checks: a debugger presence query, a RAM check targeting the low-memory environments typical of sandboxes, a system uptime check flagging machines that have been running for only minutes, a privilege enumeration for SeDebugPrivilege, and a computer name query. Then Sleep(922,337,203,695,477ms) deploys…’
Indicators of Compromise
- [File Hash ] Delivery packages – c655c2d410e6b36d9ef1359aef67183bf76c193c609697492e41d30622f7ebd4, 30694a0101abfeea642cb9de7fb7eb66789eea74d8d7257b39822d7dab59445d, and 30+ other hashes
- [IP Address ] C2 servers (Frankfurt ASN SERVHOST‑AS) – 213.176.73.159, 217.119.129.122, and 6 other addresses (e.g., 217.119.129.76, 217.119.129.118, 217.119.129.121, 94.156.154.6, 89.169.12.241)
- [Repository ] Malicious GitHub repos/delivery ZIPs – AAAbiola/openclaw-docker, mikenob39wang/phone-number-location-tracking-tool, and B3RZ3RK/fishing-planet-enhanced-menu (plus many forks and 300+ delivery packages)
- [File Name ] Malicious runtime & payload – unc.exe (renamed LuaJIT runtime), license.txt (encrypted/obfuscated Lua payload), Launch.bat/Launcher.cmd (execution trigger)
- [Network URI / C2 Patterns ] C2 API endpoints – POST /api/ (screenshot upload + task retrieval), GET /task/ (task polling), GET /loader/screen/ (loader/screen data)
- [TLSH ] Binary similarity – T141F49F19FBB101FAD5B78135CD16A90BEBB2BC050624566F43E06AAB6F377210E1F325
- [Telegram Channel ] Operator advertising/distribution – https://t.me/NumberLocationTrack (TroyDen phone‑tracker channel)
Read more: https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers