Listen to this Post

Introduction
Security researchers have uncovered a sophisticated malware campaign exploiting GitHub, one of the world’s most trusted code-sharing platforms. This operation specifically targets gamers and software enthusiasts searching for cheats, cracks, or automation tools. By masquerading as legitimate repositories, attackers distribute SmartLoader malware and the dangerous Rhadamanthys information stealer, highlighting a growing trend of cyber threats using popular developer platforms as a delivery mechanism.
Gamers and Software Enthusiasts at Risk
The attack relies on meticulously crafted GitHub repositories designed to appear completely legitimate. These repositories include professional README files, detailed installation instructions, and complete project overviews, creating a convincing façade of safety. Cybercriminals have optimized these pages to rank highly in Google search results for terms like “game hacks” and “software cracks,” ensuring that they are easily discoverable by potential victims. Popular targets include Maple Story cheats, Minecraft clients, Call of Duty hacks, and cracked versions of software like VSDC Video Editor Pro.
Within these repositories, users will find compressed files containing four critical components: a legitimate Lua loader (java.exe/luajit.exe), a malicious batch file (Launcher.cmd), the Lua runtime interpreter (lua51.dll), and an obfuscated Lua script (module.class). When users execute Launcher.cmd, the system unknowingly runs SmartLoader under the guise of legitimate software, effectively bypassing suspicion while installing malicious components.
Multi-Stage Attack Chain
Once activated, SmartLoader establishes persistence on the victim’s machine, copying its files to %AppData%\ODE3 and creating a scheduled task under the name SecurityHealthService_ODE3. The malware immediately begins collecting sensitive information, taking screenshots and gathering system data. This information is transmitted to a command-and-control server at 89.169.13[.]215 using encrypted Base64 and byte operations to avoid detection.
The server responds with JSON-formatted commands, including loader configuration settings and tasks specifying additional payloads. Researchers identified three secondary payloads: another Lua script (adobe.lua) mimicking SmartLoader’s behavior and both 32-bit and 64-bit versions of the Rhadamanthys stealer. Rhadamanthys is particularly dangerous, capable of injecting itself into legitimate Windows processes such as openwith.exe, dialer.exe, dllhost.exe, and rundll32.exe, systematically stealing email credentials, FTP logins, and online banking information.
What Undercode Say:
This malware campaign reflects a significant evolution in cyberattack strategies, leveraging the inherent trust users place in GitHub repositories. Unlike traditional phishing campaigns or drive-by downloads, this operation uses legitimate-looking files and instructions to lower suspicion. The choice of targeting gamers and software enthusiasts is strategic: these users frequently download third-party tools and are more likely to bypass standard security precautions.
The multi-stage attack chain of SmartLoader and Rhadamanthys showcases advanced evasion techniques. By obfuscating malicious Lua scripts and encrypting all communications, attackers make detection by conventional antivirus software extremely challenging. Embedding malware within legitimate processes allows attackers to maintain persistence even after system reboots, increasing the potential for long-term data exfiltration.
Another concerning aspect is the use of GitHub infrastructure, which inherently grants credibility to malicious repositories. Users often assume repositories hosted on GitHub are vetted or at least trustworthy, creating a false sense of security. The campaign also demonstrates a precise understanding of human behavior in online communities, particularly the vulnerability of those seeking shortcuts like cheats or cracked software.
This incident reinforces the importance of cybersecurity hygiene: downloading software only from official sources, scrutinizing repository authors and commit histories, and avoiding executing unfamiliar files. Security researchers suggest that even repositories that appear professional can be weaponized, emphasizing the need for continuous vigilance and layered security solutions.
Overall, this campaign illustrates a trend where attackers exploit legitimate platforms rather than relying solely on suspicious websites. By blending malicious payloads with credible content, cybercriminals can achieve higher infection rates while evading traditional security measures. Organizations and individual users alike need to adapt, combining technical safeguards with awareness and training to prevent falling victim to such sophisticated attacks.
🔍 Fact Checker Results
GitHub repositories can be used to distribute malware: ✅
SmartLoader installs silently through legitimate-looking files: ✅
Attack specifically targets gamers and software enthusiasts: ✅
📊 Prediction
Given the sophistication of this campaign, similar attacks are likely to expand beyond gaming communities. Expect cybercriminals to increasingly exploit trusted platforms, such as code repositories, cloud storage, and collaboration tools, to deliver malware. Organizations may need enhanced monitoring of third-party code sources and automated tools to detect suspicious repository activity before widespread damage occurs.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




