GitHub Desktop installer spoofed for malware delivery

January 28, 2026

(Credit: Ahmed – stock.adobe.com)

GBHackers News reports that malware masquerading as the GitHub Desktop installer has been deployed by abusing GitHub fork architecture.

Multiple disposable GitHub accounts have been created by threat actors, who forked the legitimate GitHub Desktop repository to include a malicious download link directing to their installer in a bid to ensure persistence even after fork deletion, according to an analysis from GMO Cybersecurity. Attackers then use search result ads to promote the illicit GitHubDesktopSetup-x64.exe installer, which resembled older samples spoofing the Google Chrome, 1Password, Bitwarden, and Notion apps.

Execution of the counterfeit GitHub Desktop installer, which not only leverages OpenCL to circumvent analysis but also intentionally misdirects code to hinder decryption key recovery, results in the deployment of the HijackLoader malware, as well as the creation of a scheduled task for persistence. Such a threat highlights the importance of downloading installers only from official release pages, researchers said.

SC Staff

Ransomware

Attackers drop DragonForce ransomware leveraging MS Teams relay systems

Steve ZurierJune 17, 2026

DragonForce ransomware abused Microsoft Teams relay infrastructure to hide C2 traffic.

Malware

SprySOCKS backdoor expands to Windows with new variants

SC StaffJune 16, 2026

The Windows variants, WIN_DRV and WIN_PLUS, retain the core architecture of their Linux predecessor, including command-and-control (C2) protocols and encryption methods.

Malware

Malware distributed via Steam Workshop wallpapers

SC StaffJune 16, 2026

Kaspersky researchers have identified that malicious actors are exploiting the Steam Workshop platform, specifically through the Wallpaper Engine application, to distribute malware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

Related Terms

Adware