Date: 06/20/2025
Severity: Medium
Summary
Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools. Linked to at least 76 GitHub accounts, the campaign includes tools such as an SMTP email bomber and Sakura-RAT, which were presented as legitimate penetration testing utilities but contained hidden malicious payloads embedded within their Visual Studio project configuration files. The malware enables data exfiltration, remote access, and persistent system control through complex infection chains using obfuscated VBS and PowerShell scripts. Targeting cybersecurity professionals, game developers, and DevOps teams who trust open-source software, this campaign poses a significant supply chain risk and underscores the need to thoroughly audit and validate open-source tools before use.
Indicators of Compromise (IOC) List
URL/Domains | https://rlim.com/seraswodinsx/raw https://pastebin.com/raw/LC0H4rhJ https://pastejustit.com/raw/tfauzcl5xj https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z https://popcorn-soft.glitch.me/popcornsoft.me |
IP Address | 46.101.236.176 |
Hash | 6b78948f441eee53f21791d4dd88dd4fdcd5f7e3
4c189405d684eb8e70b1848b356967e783b9c543
5cd53d94caf0e811b82bad958b34322eb082567f
e1a02b787597a844b82a73c2488000088d0533b4
ad25ee224973140d41c6ecf1c1500d4efeb0b324
27c4161777ba005166156de311ba58de49eac874
435e74551890b8c70c4b09446ec6ce0a932763f5
4c391ebeff4cdfbc87ca83772a535d4386e5a5b2
585b76875aad1c99d3e06c29ad46b3adeb45639d
fdb9fc2de72be71084cc60508d00bedbf9337172
60bdf425bd22c34bad7d5663db31d2107153f729
68911ad6696cfdb15c967a82c2d8aab1be634659
d94f476b2aceaf4e83197475280f89ecbe3b8d35
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://pastebin.com/raw/LC0H4rhJ" or siteurl like "https://pastebin.com/raw/LC0H4rhJ" or url like "https://pastebin.com/raw/LC0H4rhJ" or domainname like "https://rlim.com/seraswodinsx/raw" or siteurl like "https://rlim.com/seraswodinsx/raw" or url like "https://rlim.com/seraswodinsx/raw" or domainname like "https://pastejustit.com/raw/tfauzcl5xj" or siteurl like "https://pastejustit.com/raw/tfauzcl5xj" or url like "https://pastejustit.com/raw/tfauzcl5xj" or domainname like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or siteurl like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or url like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or domainname like "https://popcorn-soft.glitch.me/popcornsoft.me" or siteurl like "https://popcorn-soft.glitch.me/popcornsoft.me" or url like "https://popcorn-soft.glitch.me/popcornsoft.me" |
Detection Query 2 : | dstipaddress IN ("46.101.236.176") or srcipaddress IN ("46.101.236.176") |
Detection Query 3 : | hash IN ("fdb9fc2de72be71084cc60508d00bedbf9337172","60bdf425bd22c34bad7d5663db31d2107153f729","6b78948f441eee53f21791d4dd88dd4fdcd5f7e3","27c4161777ba005166156de311ba58de49eac874","4c391ebeff4cdfbc87ca83772a535d4386e5a5b2","e1a02b787597a844b82a73c2488000088d0533b4","ad25ee224973140d41c6ecf1c1500d4efeb0b324","4c189405d684eb8e70b1848b356967e783b9c543","5cd53d94caf0e811b82bad958b34322eb082567f","435e74551890b8c70c4b09446ec6ce0a932763f5","585b76875aad1c99d3e06c29ad46b3adeb45639d","68911ad6696cfdb15c967a82c2d8aab1be634659","d94f476b2aceaf4e83197475280f89ecbe3b8d35")
|
Reference:
https://www.trendmicro.com/en_us/research/25/f/water-curse.html