GitHub Abused to Spread Malware Disguised as Free VPN

    Thursday, July 10, 2025 In: Threat Research Print

    Date: 07/10/2025

    Severity: High

    Summary

    A recent malware campaign hosted on GitHub abuses popular lures like “Free VPN for PC” and “Minecraft Skin Changer” to trick users into executing a malicious dropper named Launch.exe. The campaign uses techniques such as process injection, DLL side-loading, and stealthy execution to deploy Lumma Stealer, an information-stealing malware. Technical analysis reveals both static and dynamic behaviors, along with obfuscation and anti-analysis methods. 

    Indicators of Compromise (IOC) List 

    Url/Domain

    Explorationmsn.store

    Snailyeductyi.sbs

    Ferrycheatyk.sbs

    Deepymouthi.sbs

    Wrigglesight.sbs

    Captaitwik.sbs

    Sidercotay.sbs

    Heroicmint.sbs

    monstourtu.sbs

    Hash

    acbaa6041286f9e3c815cd1712771a490530f52c90ce64da20f28cfa0955a5ca

    15b644b42edce646e8ba69a677edcb09ec752e6e7920fd982979c714aece3925

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "Snailyeductyi.sbs" or siteurl like "Snailyeductyi.sbs" or url like "Snailyeductyi.sbs" or domainname like "Wrigglesight.sbs" or siteurl like "Wrigglesight.sbs" or url like "Wrigglesight.sbs" or domainname like "Deepymouthi.sbs" or siteurl like "Deepymouthi.sbs" or url like "Deepymouthi.sbs" or domainname like "Captaitwik.sbs" or siteurl like "Captaitwik.sbs" or url like "Captaitwik.sbs" or domainname like "monstourtu.sbs" or siteurl like "monstourtu.sbs" or url like "monstourtu.sbs" or domainname like "Explorationmsn.store" or siteurl like "Explorationmsn.store" or url like "Explorationmsn.store" or domainname like "Ferrycheatyk.sbs" or siteurl like "Ferrycheatyk.sbs" or url like "Ferrycheatyk.sbs" or domainname like "Sidercotay.sbs" or siteurl like "Sidercotay.sbs" or url like "Sidercotay.sbs" or domainname like "Heroicmint.sbs" or siteurl like "Heroicmint.sbs" or url like "Heroicmint.sbs"

    Detection Query 2 : 

    sha256hash IN ("15b644b42edce646e8ba69a677edcb09ec752e6e7920fd982979c714aece3925","acbaa6041286f9e3c815cd1712771a490530f52c90ce64da20f28cfa0955a5ca")

    Reference:

    https://www.cyfirma.com/research/github-abused-to-spread-malware-disguised-as-free-vpn/


    Tags

    MalwareLumma StealerGitHubDLL

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.