Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new methods.
Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either raw encrypted scripting code or malicious executables. Their tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives as releases. This network not only distributes malware but also provides various other activities that make these “Ghost” accounts appear as normal users.
Read more…
Source: Check Point
Related:
- Multifunction Printer Security Concerns within the Enterprise Business Environment
December 11, 2025
Multifunction printers (MFPs) do far more than print. They scan, email, fax, store, and authenticate. That convenience comes with risk. Our latest report, Understanding Multifunction Printer (MFP) Security within the Enterprise Business Environment, from Rapid7’s Deral Heiland, Principal Security Researcher (IoT), and Sam Moses, Security Consultant, takes a clear look at where MFPs expand your ...
- Hunting for Mythic in network traffic
December 11, 2025
Threat actors frequently employ post-exploitation frameworks in cyberattacks to maintain control over compromised hosts and move laterally within the organization’s network. While they once favored closed-source frameworks, such as Cobalt Strike and Brute Ratel C4, open-source projects like Mythic, Sliver, and Havoc have surged in popularity in recent years. Malicious actors are also quick to adopt ...
- U.S. Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
December 9, 2025
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the ...
- Goodbye, dark Telegram: Blocks are pushing the underground out
December 9, 2025
Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens. When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – ...
- National cybercrime network operating for 14 years dismantled in Indonesia
December 8, 2025
Security researchers have uncovered enormous cybercrime infrastructure in Indonesia that’s been operating unabated for more than 14 years. The length of the operation, the domains included, the malware circulated, and the data being sold on the black market, were all so big that the researchers – Malanta.ai – said the campaign resembles a nation-state campaign ...
- React2Shell RCE flaw exploited by Chinese hackers hours after disclosure
December 8, 2025
Just as the experts predicted, cybercriminals are now actively exploiting the critical severity vulnerability in React Server Components (RSC) that was discovered late last week. To make matters worse, the crooks observed abusing the bug seem to be working for the Chinese government. Late last week, the React team published a security advisory detailing a pre-authentication ...