Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub

    Date: 06/20/2025

    Severity: Medium

    Summary

    Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools. Linked to at least 76 GitHub accounts, the campaign includes tools such as an SMTP email bomber and Sakura-RAT, which were presented as legitimate penetration testing utilities but contained hidden malicious payloads embedded within their Visual Studio project configuration files. The malware enables data exfiltration, remote access, and persistent system control through complex infection chains using obfuscated VBS and PowerShell scripts. Targeting cybersecurity professionals, game developers, and DevOps teams who trust open-source software, this campaign poses a significant supply chain risk and underscores the need to thoroughly audit and validate open-source tools before use.

    Indicators of Compromise (IOC) List 

    URL/Domains

    https://rlim.com/seraswodinsx/raw

    https://pastebin.com/raw/LC0H4rhJ

    https://pastejustit.com/raw/tfauzcl5xj

    https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z

    https://popcorn-soft.glitch.me/popcornsoft.me

    IP Address

    46.101.236.176

    Hash

    6b78948f441eee53f21791d4dd88dd4fdcd5f7e3

    4c189405d684eb8e70b1848b356967e783b9c543

    5cd53d94caf0e811b82bad958b34322eb082567f

    e1a02b787597a844b82a73c2488000088d0533b4

    ad25ee224973140d41c6ecf1c1500d4efeb0b324

    27c4161777ba005166156de311ba58de49eac874

    435e74551890b8c70c4b09446ec6ce0a932763f5

    4c391ebeff4cdfbc87ca83772a535d4386e5a5b2

    585b76875aad1c99d3e06c29ad46b3adeb45639d

    fdb9fc2de72be71084cc60508d00bedbf9337172

    60bdf425bd22c34bad7d5663db31d2107153f729

    68911ad6696cfdb15c967a82c2d8aab1be634659

    d94f476b2aceaf4e83197475280f89ecbe3b8d35

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://pastebin.com/raw/LC0H4rhJ" or siteurl like "https://pastebin.com/raw/LC0H4rhJ" or url like "https://pastebin.com/raw/LC0H4rhJ" or domainname like "https://rlim.com/seraswodinsx/raw" or siteurl like "https://rlim.com/seraswodinsx/raw" or url like "https://rlim.com/seraswodinsx/raw" or domainname like "https://pastejustit.com/raw/tfauzcl5xj" or siteurl like "https://pastejustit.com/raw/tfauzcl5xj" or url like "https://pastejustit.com/raw/tfauzcl5xj" or domainname like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or siteurl like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or url like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or domainname like "https://popcorn-soft.glitch.me/popcornsoft.me" or siteurl like "https://popcorn-soft.glitch.me/popcornsoft.me" or url like "https://popcorn-soft.glitch.me/popcornsoft.me"

    Detection Query 2 : 

    dstipaddress IN ("46.101.236.176") or srcipaddress IN ("46.101.236.176")

    Detection Query 3 :

    hash IN ("fdb9fc2de72be71084cc60508d00bedbf9337172","60bdf425bd22c34bad7d5663db31d2107153f729","6b78948f441eee53f21791d4dd88dd4fdcd5f7e3","27c4161777ba005166156de311ba58de49eac874","4c391ebeff4cdfbc87ca83772a535d4386e5a5b2","e1a02b787597a844b82a73c2488000088d0533b4","ad25ee224973140d41c6ecf1c1500d4efeb0b324","4c189405d684eb8e70b1848b356967e783b9c543","5cd53d94caf0e811b82bad958b34322eb082567f","435e74551890b8c70c4b09446ec6ce0a932763f5","585b76875aad1c99d3e06c29ad46b3adeb45639d","68911ad6696cfdb15c967a82c2d8aab1be634659","d94f476b2aceaf4e83197475280f89ecbe3b8d35")

    Reference:

    https://www.trendmicro.com/en_us/research/25/f/water-curse.html


    Tags

    MalwareThreat ActorWater CurseSMTP Email BomberSakura-RATRATExfiltrationGitHub

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags