GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

    Monday, January 27, 2025 In: Threat Research Print

    Date: 01/27/2025

    Severity: Medium

    Summary

    "GitHub’s Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools" highlights the growing trend of malicious actors exploiting GitHub to distribute malware, specifically a variant of Lumma Stealer. Users searching for game hacks, cracked software, or cryptocurrency tools often encounter these compromised repositories, which appear legitimate due to their descriptions, licenses, and screenshots. As GitHub detects and removes these repositories, new ones quickly emerge with different software names but identical malware payloads, creating a cycle of ongoing cyber threats.

    Indicators of Compromise (IOC) List

    URL/Domain

    github.com/632763276327ermwhatthesigma/hack-apex-1egend

    github.com/VynnProjects/h4ck-f0rtnite

    github.com/TechWezTheMan/Discord-AllinOne-Tool

    github.com/UNDERBOSSDS/ESET-KeyGen-2024

    github.com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t

    github.com/Magercat/Al-Photoshop-2024

    github.com/nate24321/minecraft-cheat2024

    github.com/classroom-x-games/counter-str1ke-2-h4ck

    github.com/LittleHa1r/ESET-KeyGen-2024

    github.com/ferhatdermaster/Adobe-Express-2024

    github.com/CrazFrogb/23fasd21/releases/download/loader/Loader.Github.zip

    github.com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Tool-and-RICOCHET-Bypass

    github.com/Notalight/h4ck-f0rtnite

    github.com/Ayush9876643/r0blox-synapse-x-free

    github.com/FlqmzeCraft/cheat-escape-from-tarkov

    github.com/Ayush9876643/cheat-escape-from-tarkov

    github.com/Ayush9876643/rust-hack-fr33

    github.com/ppetriix/rust-hack-fr33

    github.com/Ayush9876643/Roblox-Blox-Fruits-Script-2024

    github.com/LandonPasana21/Roblox-Blox-Fruits-Script-2024

    github.com/Ayush9876643/Rainbow-S1x-Siege-Cheat

    github.com/Ayush9876643/SonyVegas-2024

    github.com/123456789433/SonyVegas-2024

    github.com/Ayush9876643/Nexus-Roblox

    github.com/cIeopatra/Nexus-Roblox

    github.com/Ayush9876643/m0dmenu-gta5-free

    github.com/GerardoR17/m0dmenu-gta5-free

    github.com/Ayush9876643/minecraft-cheat2024

    github.com/RakoBman/cheat-apex-legends-download

    github.com/Ayush9876643/cheat-apex-legends-download

    github.com/cIiqued/FL-Studio

    github.com/Ayush9876643/FL-Studio

    github.com/Axsle-gif/h4ck-f0rtnite

    github.com/Ayush9876643/h4ck-f0rtnite

    github.com/SUPAAAMAN/m0dmenu-gta5-free

    github.com/atomicthefemboy/cheat-apex-legends-download

    github.com/FlqmzeCraft/cheat-escape-from-tarkov

    github.com/Notalight/h4ck-f0rtnite

    github.com/Notalight/FL-Studio

    github.com/Notalight/r0blox-synapse-x-free

    github.com/Notalight/cheat-apex-legends-download

    github.com/Notalight/cheat-escape-from-tarkov

    github.com/Notalight/rust-hack-fr33

    github.com/Notalight/Roblox-Blox-Fruits-Script-2024

    github.com/Notalight/Rainbow-S1x-Siege-Cheat

    github.com/Notalight/SonyVegas-2024

    github.com/Notalight/Nexus-Roblox

    github.com/Notalight/minecraft-cheat2024

    github.com/Notalight/m0dmenu-gta5-free

    github.com/ZinkosBR/r0blox-synapse-x-free

    github.com/ZinkosBR/cheat-escape-from-tarkov

    github.com/ZinkosBR/rust-hack-fr33

    github.com/ZinkosBR/Roblox-Blox-Fruits-Script-2024

    github.com/ZinkosBR/Rainbow-S1x-Siege-Cheat

    github.com/ZinkosBR/Nexus-Roblox

    github.com/ZinkosBR/m0dmenu-gta5-free

    github.com/ZinkosBR/minecraft-cheat2024

    github.com/ZinkosBR/h4ck-f0rtnite

    github.com/ZinkosBR/FL-Studio

    github.com/ZinkosBR/cheat-apex-legends-download

    github.com/EliminatorGithub/counter-str1ke-2-h4ck

    Github.com/ashishkumarku10/call-0f-duty-warz0ne-h4ck

    IP Address

    104.21.48.1

    104.21.112.1

    104.21.16.1

    Hash

    CB6DDBF14DBEC8AF55986778811571E6

C610FD2A7B958E79F91C5F058C7E3147

3BBD94250371A5B8F88B969767418D70

CF19765D8A9A2C2FD11A7A8C4BA3DEDA

69E530BC331988E4E6FE904D2D23242A

35A2BDC924235B5FA131095985F796EF

EB604E2A70243ACB885FE5A944A647C3

690DBCEA5902A1613CEE46995BE65909

2DF535AFF67A94E1CDAD169FFCC4562A

84100E7D46DF60FE33A85F16298EE41C

00BA06448D5E03DFBFA60A4BC2219193

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    		 

    userdomainname like "github.com/632763276327ermwhatthesigma/hack-apex-1egend" or url like "github.com/632763276327ermwhatthesigma/hack-apex-1egend" or userdomainname like "github.com/VynnProjects/h4ck-f0rtnite" or url like "github.com/VynnProjects/h4ck-f0rtnite" or userdomainname like "github.com/TechWezTheMan/Discord-AllinOne-Tool" or url like "github.com/TechWezTheMan/Discord-AllinOne-Tool" or userdomainname like "github.com/UNDERBOSSDS/ESET-KeyGen-2024" or url like "github.com/UNDERBOSSDS/ESET-KeyGen-2024" or userdomainname like "github.com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t" or url like "github.com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t" or userdomainname like "github.com/Magercat/Al-Photoshop-2024" or url like "github.com/Magercat/Al-Photoshop-2024" or userdomainname like "github.com/nate24321/minecraft-cheat2024" or url like "github.com/nate24321/minecraft-cheat2024" or userdomainname like "github.com/classroom-x-games/counter-str1ke-2-h4ck" or url like "github.com/classroom-x-games/counter-str1ke-2-h4ck" or userdomainname like "github.com/LittleHa1r/ESET-KeyGen-2024" or url like "github.com/LittleHa1r/ESET-KeyGen-2024" or userdomainname like "github.com/ferhatdermaster/Adobe-Express-2024" or url like "github.com/ferhatdermaster/Adobe-Express-2024" or userdomainname like "github.com/CrazFrogb/23fasd21/releases/download/loader/Loader.Github.zip" or url like "github.com/CrazFrogb/23fasd21/releases/download/loader/Loader.Github.zip" or userdomainname like "github.com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Tool-and-RICOCHET-Bypass" or url like "github.com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Tool-and-RICOCHET-Bypass" or userdomainname like "github.com/Notalight/h4ck-f0rtnite" or url like "github.com/Notalight/h4ck-f0rtnite" or userdomainname like "github.com/Ayush9876643/r0blox-synapse-x-free" or url like "github.com/Ayush9876643/r0blox-synapse-x-free" or userdomainname like "github.com/FlqmzeCraft/cheat-escape-from-tarkov" or url like "github.com/FlqmzeCraft/cheat-escape-from-tarkov" or userdomainname like "github.com/Ayush9876643/cheat-escape-from-tarkov" or url like "github.com/Ayush9876643/cheat-escape-from-tarkov" or userdomainname like "github.com/Ayush9876643/rust-hack-fr33" or url like "github.com/Ayush9876643/rust-hack-fr33" or userdomainname like "github.com/ppetriix/rust-hack-fr33" or url like "github.com/ppetriix/rust-hack-fr33" or userdomainname like "github.com/Ayush9876643/Roblox-Blox-Fruits-Script-2024" or url like "github.com/Ayush9876643/Roblox-Blox-Fruits-Script-2024" or userdomainname like "github.com/LandonPasana21/Roblox-Blox-Fruits-Script-2024" or url like "github.com/LandonPasana21/Roblox-Blox-Fruits-Script-2024" or userdomainname like "github.com/Ayush9876643/Rainbow-S1x-Siege-Cheat" or url like "github.com/Ayush9876643/Rainbow-S1x-Siege-Cheat" or userdomainname like "github.com/Ayush9876643/SonyVegas-2024" or url like "github.com/Ayush9876643/SonyVegas-2024" or userdomainname like "github.com/123456789433/SonyVegas-2024" or url like "github.com/123456789433/SonyVegas-2024" or userdomainname like "github.com/Ayush9876643/Nexus-Roblox" or url like "github.com/Ayush9876643/Nexus-Roblox" or userdomainname like "github.com/cIeopatra/Nexus-Roblox" or url like "github.com/cIeopatra/Nexus-Roblox" or userdomainname like "github.com/Ayush9876643/m0dmenu-gta5-free" or url like "github.com/Ayush9876643/m0dmenu-gta5-free" or userdomainname like "github.com/GerardoR17/m0dmenu-gta5-free" or url like "github.com/GerardoR17/m0dmenu-gta5-free" or userdomainname like "github.com/Ayush9876643/minecraft-cheat2024" or url like "github.com/Ayush9876643/minecraft-cheat2024" or userdomainname like "github.com/RakoBman/cheat-apex-legends-download" or url like "github.com/RakoBman/cheat-apex-legends-download" or userdomainname like "github.com/Ayush9876643/cheat-apex-legends-download" or url like "github.com/Ayush9876643/cheat-apex-legends-download" or userdomainname like "github.com/cIiqued/FL-Studio" or url like "github.com/cIiqued/FL-Studio" or userdomainname like "github.com/Ayush9876643/FL-Studio" or url like "github.com/Ayush9876643/FL-Studio" or userdomainname like "github.com/Axsle-gif/h4ck-f0rtnite" or url like "github.com/Axsle-gif/h4ck-f0rtnite" or userdomainname like "github.com/Ayush9876643/h4ck-f0rtnite" or url like "github.com/Ayush9876643/h4ck-f0rtnite" or userdomainname like "github.com/SUPAAAMAN/m0dmenu-gta5-free" or url like "github.com/SUPAAAMAN/m0dmenu-gta5-free" or userdomainname like "github.com/atomicthefemboy/cheat-apex-legends-download" or url like "github.com/atomicthefemboy/cheat-apex-legends-download" or userdomainname like "github.com/FlqmzeCraft/cheat-escape-from-tarkov" or url like "github.com/FlqmzeCraft/cheat-escape-from-tarkov" or userdomainname like "github.com/Notalight/h4ck-f0rtnite" or url like "github.com/Notalight/h4ck-f0rtnite" or userdomainname like "github.com/Notalight/FL-Studio" or url like "github.com/Notalight/FL-Studio" or userdomainname like "github.com/Notalight/r0blox-synapse-x-free" or url like "github.com/Notalight/r0blox-synapse-x-free" or userdomainname like "github.com/Notalight/cheat-apex-legends-download" or url like "github.com/Notalight/cheat-apex-legends-download" or userdomainname like "github.com/Notalight/cheat-escape-from-tarkov" or url like "github.com/Notalight/cheat-escape-from-tarkov" or userdomainname like "github.com/Notalight/rust-hack-fr33" or url like "github.com/Notalight/rust-hack-fr33" or userdomainname like "github.com/Notalight/Roblox-Blox-Fruits-Script-2024" or url like "github.com/Notalight/Roblox-Blox-Fruits-Script-2024" or userdomainname like "github.com/Notalight/Rainbow-S1x-Siege-Cheat" or url like "github.com/Notalight/Rainbow-S1x-Siege-Cheat" or userdomainname like "github.com/Notalight/SonyVegas-2024" or url like "github.com/Notalight/SonyVegas-2024" or userdomainname like "github.com/Notalight/Nexus-Roblox" or url like "github.com/Notalight/Nexus-Roblox" or userdomainname like "github.com/Notalight/minecraft-cheat2024" or url like "github.com/Notalight/minecraft-cheat2024" or userdomainname like "github.com/Notalight/m0dmenu-gta5-free" or url like "github.com/Notalight/m0dmenu-gta5-free" or userdomainname like "github.com/ZinkosBR/r0blox-synapse-x-free" or userdomainname like "github.com/ZinkosBR/cheat-escape-from-tarkov" or url like "github.com/ZinkosBR/cheat-escape-from-tarkov" or userdomainname like "github.com/ZinkosBR/rust-hack-fr33" or url like "github.com/ZinkosBR/rust-hack-fr33" or userdomainname like "github.com/ZinkosBR/Roblox-Blox-Fruits-Script-2024" or url like "github.com/ZinkosBR/Roblox-Blox-Fruits-Script-2024" or userdomainname like "github.com/ZinkosBR/Rainbow-S1x-Siege-Cheat" or url like "github.com/ZinkosBR/Rainbow-S1x-Siege-Cheat" or userdomainname like "github.com/ZinkosBR/Nexus-Roblox" or url like "github.com/ZinkosBR/m0dmenu-gta5-free" or url like "github.com/ZinkosBR/m0dmenu-gta5-free" or userdomainname like "github.com/ZinkosBR/minecraft-cheat2024" or url like "github.com/ZinkosBR/minecraft-cheat2024" or userdomainname like "github.com/ZinkosBR/h4ck-f0rtnite" or url like "github.com/ZinkosBR/h4ck-f0rtnite" or userdomainname like "github.com/ZinkosBR/FL-Studio" or userdomainname like "github.com/ZinkosBR/cheat-apex-legends-download" or url like "github.com/ZinkosBR/cheat-apex-legends-download" or userdomainname like "github.com/EliminatorGithub/counter-str1ke-2-h4ck" or url like "github.com/EliminatorGithub/counter-str1ke-2-h4ck" or userdomainname like "Github.com/ashishkumarku10/call-0f-duty-warz0ne-h4ck" or url like "Github.com/ashishkumarku10/call-0f-duty-warz0ne-h4ck"

    Detection Query 2

    dstipaddress IN ("104.21.112.1","104.21.16.1","104.21.48.1") or ipaddress IN ("104.21.112.1","104.21.16.1","104.21.48.1") or publicipaddress IN ("104.21.112.1","104.21.16.1","104.21.48.1") or srcipaddress IN ("104.21.112.1","104.21.16.1","104.21.48.1")

    Detection Query 3

    md5hash IN ("84100E7D46DF60FE33A85F16298EE41C","CF19765D8A9A2C2FD11A7A8C4BA3DEDA","2DF535AFF67A94E1CDAD169FFCC4562A","690DBCEA5902A1613CEE46995BE65909","3BBD94250371A5B8F88B969767418D70","00BA06448D5E03DFBFA60A4BC2219193","C610FD2A7B958E79F91C5F058C7E3147","69E530BC331988E4E6FE904D2D23242A","CB6DDBF14DBEC8AF55986778811571E6","35A2BDC924235B5FA131095985F796EF","EB604E2A70243ACB885FE5A944A647C3")

    Reference: 

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/githubs-dark-side-unveiling-malware-disguised-as-cracks-hacks-and-crypto-tools/


    Tags

    MalwareLumma StealercryptocurrencyGitHub

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.