{"id":6898,"date":"2025-09-13T10:03:58","date_gmt":"2025-09-13T10:03:58","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/09\/13\/new-malvertising-campaign-leverages-github-repository-to-deliver-malware\/"},"modified":"2025-09-13T10:03:58","modified_gmt":"2025-09-13T10:03:58","slug":"new-malvertising-campaign-leverages-github-repository-to-deliver-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/09\/13\/new-malvertising-campaign-leverages-github-repository-to-deliver-malware\/","title":{"rendered":"New Malvertising Campaign Leverages GitHub Repository to Deliver Malware"},"content":{"rendered":"

New Malvertising Campaign Leverages GitHub Repository to Deliver Malware
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated malvertising campaign has emerged, exploiting GitHub repositories through dangling commits to distribute malware via fake GitHub Desktop clients.<\/p>\n

This novel attack vector represents a significant evolution in cybercriminal tactics, leveraging the trust and legitimacy associated with GitHub\u2019s platform to deceive unsuspecting users into downloading malicious software.<\/p>\n

The campaign operates by promoting compromised GitHub repositories<\/a> containing dangling commits that serve as delivery mechanisms for malware payloads.<\/p>\n

When users search for GitHub Desktop through compromised advertisements, they are redirected to malicious repositories that appear legitimate but contain hidden malware embedded within the repository structure.<\/p>\n

The attack leverages users\u2019 familiarity with GitHub\u2019s interface and their trust in the platform\u2019s security.<\/p>\n

Upon successful infection, the malware<\/a> establishes persistence on victim systems while maintaining covert communication channels with command and control servers.<\/p>\n

\n
\"\"
Attack chain (Source \u2013 X)<\/figcaption><\/figure>\n<\/div>\n

Unit 42 researchers identified<\/a> this campaign through behavioral analysis of suspicious GitHub repository activities and anomalous download patterns associated with fake GitHub Desktop installers.<\/p>\n

Advanced Infection Mechanism and Payload Execution<\/strong><\/h2>\n

The malware employs a sophisticated multi-stage infection process that begins when users download what appears to be a legitimate GitHub Desktop installer.<\/p>\n

The initial payload performs comprehensive system discovery, collecting detailed information about the infected machine including operating system details, installed software, and network configurations.<\/p>\n

This reconnaissance data is immediately exfiltrated to attacker-controlled servers before proceeding to the next infection stage.<\/p>\n

\n
\n
\n
\n

We have tracked a #malvertising<\/a> campaign that promoted dangling commits in an official GitHub repository. This new campaign tricked users into downloading a fake GitHub desktop client that delivered malware in the background. More info at: https:\/\/t.co\/7tX3rz1TST<\/a> pic.twitter.com\/V9yNrUU6xW<\/a><\/p>\n

\u2014 Unit 42 (@Unit42_Intel) September 11, 2025<\/a>\n<\/p><\/blockquote>\n