Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new methods.
Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either raw encrypted scripting code or malicious executables. Their tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives as releases. This network not only distributes malware but also provides various other activities that make these “Ghost” accounts appear as normal users.
Read more…
Source: Check Point
Related:
- Outlaw cybergang attacking targets worldwide
April 29, 2025
In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Previous research described Outlaw samples obtained from honeypots. In this ...
- M&S: WFH staff locked out of systems amid cyber attack fallout
April 28, 2025
M&S has shut remote-working employees out of some of its IT systems as it struggles to recover from the fallout of a cyberattack last week. The high street giant closed some of the programmes that staff use to log into the internal IT systems when working outside of the office, The Times reported. Cybersecurity experts said ...
- Android malware turns phones into malicious tap-to-pay machines
April 24, 2025
Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that ...
- M&S: FTSE 100 giant battling cyber attack
April 22, 2025
M&S has revealed it has been battling what it has described as a “cyber incident” over the past few days. The FTSE 100 giant said that it’s made some “minor, temporary changes to our store operations to protect customers and the business” and “we are sorry for any inconvenience experienced.” M&S confirmed that it is working ...
- FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
April 21, 2025
During trend Micro researchers monitoring of the ransomware threat landscape, they discovered samples with infection chain characteristics and payloads that can be attributed to FOG ransomware. A total of nine samples were uploaded to VirusTotal between March 27 and April 2, which the researchers recently discovered were multiple ransomware binaries with .flocked extension and readme.txt notes. ...
- Lumma Stealer – Tracking distribution channels
April 21, 2025
The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as ...