GitCaught: New Malware Campaign Uses GitHub for Malicious Downloads

According to a report by Insikt Group, cybercriminals are exploiting GitHub and FileZilla to deliver infostealers and trojans disguised as macOS applications such as 1Password, Bartender 5, and Pixelmator Pro. The campaign has been named GitCaught.

Experts note that the presence of numerous malware variants indicates a strategy of cross-platform targeting (Android, macOS, and Windows), while the C2 infrastructure suggests centralized command control, enhancing the efficiency of the attacks.

The attack chain involves creating fake accounts and repositories on GitHub, where counterfeit versions of legitimate programs are hosted, designed to steal sensitive data from infected devices. Links to these malicious files are then embedded in various domains, and disseminated through malicious advertising and SEO campaigns.

The attackers use FileZilla servers to manage and deliver the malware. Further analysis of disk images on GitHub and related infrastructure revealed that the attacks are part of a larger campaign aimed at distributing programs like RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.

Particularly noteworthy is the Rhadamanthys infection chain, where victims visiting fake download sites are redirected to Bitbucket and Dropbox hosting malicious files, indicating a broader misuse of legitimate services.