Malicious Hackers Exploit GitHub to Distribute VPN – Impersonating Malware

A newly-discovered malware campaign is exploiting the popularity of GitHub to distribute sophisticated malware disguised as “Free VPN for PC” and “Minecraft Skin Changer.”

CYFIRMA’s latest technical analysis reveals how cybercriminals exploit social engineering, advanced obfuscation, and legitimate Windows processes to implant the notorious Lumma Stealer, a powerful malware that steals information.

Dangerous Lures on a Trusted Platform

Threat actors are hosting malicious payloads on GitHub under repositories like github[.]com/SAMAIOEC/free-vpn-for-pc, portraying them as helpful utilities.

Unsuspecting users seeking free software are enticed by detailed installation guides and password-protected ZIP files to bypass browser security. Once extracted and run, these files launch an executable named “Launch.exe,” initiating a multi-stage attack chain.

Advanced Attack Chain – Obfuscation and Process Injection

The attack begins with “Launch.exe,” a trojanized application packed with randomly-generated assembly metadata to evade detection.

At its core, the executable contains an obfuscated, Base64-encoded DLL. The malware decrypts this payload using cleverly hidden code, then drops it as a disguised DLL (msvcp110.dll) in the user’s AppData directory.

Using Windows API calls such as LoadLibrary and GetProcAddress, the malicious DLL is dynamically loaded and executed.

The malware employs anti-debugging measures and further obfuscates its code through the use of meaningless strings and convoluted logic, thereby frustrating analysts and automated defenses.

A critical aspect of this campaign is “DLL side-loading,” abusing trusted Windows binaries, such as MSBuild.exe, for stealthy in-memory injection of malware, thereby bypassing both antivirus and endpoint defenses.

The malware also utilizes process injection with APIs such as VirtualAlloc and NtWriteVirtualMemory, ensuring the Lumma Stealer runs covertly and persistently on the target system.

Real-World Threats and Defenses

Dynamic analysis revealed the malware’s attempts to communicate with multiple command-and-control domains, such as explorationmsn[.]store, all of which are linked to prior Lumma Stealer operations.

Signature-based detection is further complicated by high entropy, code packing, and evasion methods.

CYFIRMA provides actionable recommendations:

• Block identified malicious domains at the network perimeter.
• Restrict downloads of executable and encrypted files from GitHub.
• Monitor for suspicious DLLs in user directories.
• Deploy the supplied YARA rules across endpoints and mail gateways.
• Educate users on the dangers of downloading unofficial “free” tools.

This campaign highlights how trusted open-source platforms can be weaponized to deliver advanced malware.

The use of layered obfuscation, process injection, and masquerading tactics highlights the importance of proactive threat hunting, enhanced endpoint security, and robust user awareness.

Organizations should remain vigilant and enforce policies to counter the growing risk of social engineering and open-source malware distribution.