Researchers from Recorded Futureβs Insikt Group uncovered a CIS-based, Russian-speaking threat actor operation that used GitHub to impersonate legitimate software like 1Password, Bartender 5, and Pixelmator Pro to distribute various malware such as Atomic macOS Stealer (AMOS) and Vidar. The campaign demonstrates how trusted platforms are abused to steal personal data and shows a coordinated effort with shared infrastructure across multiple malware families.
Keypoints
- The Insikt Group found a sophisticated campaign led by CIS-based threat actors leveraging GitHub to impersonate legitimate software.
- Malware variants include Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, all sharing a common command-and-control (C2) infrastructure.
- Actors crafted fake GitHub profiles and repositories to present counterfeit versions of well-known applications, exploiting user trust in platforms.
- The shared C2 setup suggests a highly organized operation with resources to sustain attacks across different OSes and devices.
- Short-term defenses focus on code review and automated scanning tools (GitGuardian, Checkmarx, GitHub Advanced Security) to detect malicious patterns.
- Medium-term guidance emphasizes monitoring for unauthorized applications and increasing collaboration within the cybersecurity community.
MITRE Techniques
- [T1195] Supply Chain Compromise β The threat actors skillfully crafted fake profiles and repositories on GitHub, presenting counterfeit versions of well-known software. βThe threat actors skillfully crafted fake profiles and repositories on GitHub, presenting counterfeit versions of well-known software.β
- [T1036] Masquerading β The actors presented counterfeit versions of legitimate software by creating fake GitHub profiles and repositories. βThe threat actors skillfully crafted fake profiles and repositories on GitHub, presenting counterfeit versions of well-known software.β
- [T1071.001] Web Protocols β The campaigns shared a common command-and-control (C2) infrastructure, indicating coordinated control over infected hosts. βshared a common command-and-control (C2) infrastructure.β
Indicators of Compromise
- [Domains] context β aptonic.xyz, arcbrowser.pro, and other domains listed in the article
- [IP Address] context β 5.42.64.45, 5.42.64.83, and other IPs listed
- [URL] context β github.com/papinyurii33
- [SHA256 Hashes] context β 0ae581638cedc98efb4d004a84ddd8397d1eab891fdfd836d27bd3ecf1d72c55, 107a3addcb5fd5550b1bcd7a1c41f8e11e3911078d47ce507697f2f2993ff6d2
- [SHA256 Hashes] context β 1383462f7f85b0a7c340f164472a7bd1dea39b23f674adc9999dca862346c3ef, 152cb8b36dd023d09c742a033e76b87c6e4c2f09f6d84757001f16705eab05e7
- [SHA256 Hashes] context β 152cb8b36dd023d09c742a033e76b87c6e4c2f09f6d84757001f16705eab05e7, 16dbfb956e720b0b7c3ba5364765859f2eb1a9bf246daeeae74fb3f0d8c911da
- [SHA256 Hashes] context β 17b52120268ceacf4a9d950d709b27aae11a5ddcbf60cbb9df340f0649c2849f, 299f731437df0c0548275a35384f93ef9abfc2f020d507f4fe22f641abe5817c
- [SHA256 Hashes] context β 3805cb7589da01a978e899fd4a051adec083c8543343ce637e448716cbbbcef1, 401c113bc24701e80468047974c19c3b7936e4d34a6625ce996c12d1639de3ba
- [SHA256 Hashes] context β 40f50f931029048dd6f81fc07268a5ccd5714e637206f92dea2e5a847c67dd69, 42c33e7d37c8af8713e9c2557a6c27b92ea9aff88d88adfe4d68796860b68f4e
- [AES Keys] context β 3335366532396633346264303137363965376666616565313833623436353833, 3534353639643261616165373137363333356136376266373265383637333666