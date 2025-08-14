Threat actors have been using legitimate software-spoofing GitHub repositories to facilitate the widespread delivery of the SmartLoader malware as part of a new campaign, according to GBHackers News.
Execution of the malicious GitHub repositories purporting to be utilities, cracked VPN software, and video game tools prompts the loading of a script that triggers SmartLoader, which collects and exfiltrates screenshots and encoded system data to an attacker-controlled command-and-control server, a report from the AhnLab Security Intelligence Center showed. Additional commands from the C2 server lead to the execution of another obfuscated Lua script, as well as 64-bit and 32-bit versions of the Rhadamanthys information-stealing malware, which are injected into Windows' dialex.exe, openwith.exe, rundll32.exe, and dllhost.exe processes to pilfer sensitive online banking, FTP, and email data. With SmartLoader previously used to download the Lumma and RedLine stealers, users have been urged to ensure repository authenticity and use official software channels to prevent potential compromise.
