The Heist: An Analogy for Modern Info-Stealers
The Trojan Gift
The Silent Drone
Alex runs the program. Nothing happens on screen, but a hidden "Recon Drone" quietly deploys. To evade the firewall (security guards), it doesn't use a fixed address to contact the hacker.
Instead, it uses a "Frequency-Hopping Radio" strategy. Both the drone and the hacker’s server automatically generate and switch to new communication addresses simultaneously. Like two spies perfectly in sync, even if a firewall blocks one address, the drone has already jumped to the next.
The 1GB Disguise
The Ghost Heist
Having successfully bypassed the antivirus, StealC 2.0 now has free rein. It immediately breaks into Alex’s web browser, aggressively vacuuming up his private data—saved website passwords, login cookies, and crypto wallets. It packages all this sensitive information and ships it directly to the hacker's command server (C2). Once the loot is secured, the virus hits a self-destruct button and vanishes into thin air.
By the time Alex realizes his digital life is compromised, the crime scene is spotless.
Incident Overview
Sangfor Farsight Labs recently uncovered a sophisticated software supply chain attack that utilizes phishing as its primary delivery method. A financially motivated threat actor poisons the development ecosystem at its source by masquerading as legitimate, highly-rated tools on GitHub. This deceptive phishing lure is specifically designed to bypass initial security awareness filters and trick IT professionals into introducing malicious code into their environments.
The Target: Developer Endpoints
The campaign specifically targets developers, as these users serve as high-access gateways to an organization's most sensitive assets:
- Elevated Network Privileges: These users often have broad access to internal administrative systems.
- Cloud Infrastructure Keys: Attackers seek credentials and access tokens for platforms like AWS or Azure.
- Critical Source Code: Exposure of proprietary code can lead to intellectual property theft or further exploitation.
Because of this high-level access, the compromise of a single developer endpoint can rapidly escalate from a localized data theft into a catastrophic enterprise-wide breach.
Key Technical Highlights
1. Using GitHub as a "Safe House"
With DevOps becoming so popular, attackers now use GitHub’s own features to launch attacks. They treat GitHub as a safe place to hide their malicious files and commands. Since most firewalls trust GitHub, this hidden communication easily slips through without being blocked.
2. Binary Padding to Evade Antivirus
After the malware is downloaded, hackers modify a file named lua.exe. Once it runs, it immediately grows its own size to over 1GB. This "bloating" trick helps the malware hide from antivirus software and makes it much harder for security experts to analyze. It shows the attackers are very careful about not being caught.
3. Constantly Changing Server Addresses
The malware is very "clever" about how it talks to the hackers. After stealing your data, it sends it to a remote server. However, the attackers use a self-update feature to constantly change their server's address. Even if a firewall blocks one address, the malware simply switches to a new one to keep stealing or selling your data.
4. Automatic Exit Based on Location
When the software starts, it first checks the user’s language and location. If it detects that the user is in certain countries, the malware will automatically shut itself down and stop all further actions.
TTPs Analysis
| Tactic | Technique Name & ID | Details from Incident |
| Command & Control | Web Service (T1102.003) | The attacker uses hidden Lua scripts to query blockchain smart contracts via polygon-rpc.com. This allows them to update Command & Control (C2) addresses on the fly without hardcoding them into the malware. |
| Persistence | Scheduled Task (T1053.005) | To survive system reboots, the malware creates Windows scheduled tasks. It specifically hijacks the legitimate system tool Setup.exe to secretly launch its malicious script, socket3.lua. |
| Defense Evasion | Binary Padding (T1027.001) | As of January 26, 2026, the attacker hosts encrypted payloads on GitHub. Once decrypted, the script artificially inflates the file size to 1GB in the temporary folder. This "bloating" causes traditional scanners to skip the file to preserve CPU performance. |
| Credential Access | Credentials from Password Stores (T1555) | The bloated file executes the StealC v2 infostealer. It rapidly drains sensitive data, including browser credentials (saved passwords/cookies) and cryptocurrency wallet private keys. |
| Defense Evasion | Indicator Removal on Host (T1070.004) | After successfully exfiltrating data, the malware triggers a built-in timer. It permanently deletes itself from the system to destroy all digital evidence of the heist. |
Recommended Actions
- Add these known malicious URLs and IPs to your existing firewall or antivirus blacklist.
Github Phishing Address
https://github.com/IgorDevApp/apt-intelligence-dashboard
https://github.com/IgorDevApp/IgorDevApp
https://github.com/IgorDevApp/PasswordSecurity
https://github.com/IgorDevApp/Calculadora
https://github.com/Markusino488/cve-2025-8088
https://github.com/Markusino488/APKEditorPro
https://github.com/amergamer/BOF_Spawn
https://github.com/hrefcoder/Nextjs-RCE-exploit-kit
Malicious IP Addresses
| 213.176.73.145 | 213.176.72.208 | 144.31.219.15 | 151.243.113.70 |
| 84.21.189.135 | 78.40.209.225 | 93.123.39.74 |
- Secure Browser Credentials: Avoid storing sensitive passwords directly in the browser, as infostealers specifically target these databases. Use a dedicated, encrypted password manager and regularly clear browser cookies to invalidate stolen session tokens.
- Replace Legacy AV: Transition from signature-based Antivirus to behavior-based solutions (such as EDR) that monitor for anomalous process execution. This ensures protection even when a file's size or "junk data" allows it to bypass traditional static scanning.
- Zero-Trust for Developer Workspaces: Implement stringent application allowlisting and containerized environments (like VMs or Docker) for testing unverified open-source tools. Developers should never execute untrusted code on a host system that contains enterprise access tokens or active session cookies.
- Get a Free "full body health check" with Sangfor Security Evaluator: Prevention is better than cure!
IoCs
We provide IOCs for blocking, but threat actors change them daily. Real security goes beyond blocking known indicators; it relies on advanced threat detection to catch malicious behaviors and prevent future attacks.
Archive Files
| File Name | Hash |
| dashboard-intelligence-apt-v3.2-beta.5.zip | b020b7cee87c642cfe2bb3f7e91d6e6a |
| App-Dev-Igor-misintend.zip | 95f664431eddd80a6cb2be16b042e759 |
| Security_Password_v1.1.zip | 2dc96a34d97cfd3e04d39d47d7ea0479 |
| Software_v1.6.zip | 0dde8e6466375a325782a0e8185eb3f9 |
| Sandboxie-Activated-cacoproctia.zip | 24058a0ed0b4d2b663e7494010496231 |
| cve-2025-8088-v1.3-beta.5.zip | 7532f3b3e54ab0989b38be255920099a |
| cve-2025-8088-main.zip | 33538e0713661fd8b1a3fdeed8c302a1 |
| ji-sagyo-3.5-beta.5.zip | bfd88de6197fd80c6865215dae9dec12 |
| warp2api-full_3.1.zip | 1a5ba71347f6e800e8400f7c92ef59ac |
| kit_Nextjs_RC_exploit_3.2.zip | b9b44e5c82abd3cbf6655b692fa8024e |
| client_ech_v3.9-beta.2.rar | 143a55a9b91b4ccda612a41342900ea1 |
| generator-account-outlook-3.4.zip | 48bed026d073181d2af978f6425203e3 |
| client_ech_v3.9-beta.2.zip | b1a0248f558f0cca907b9cf132cd9c9d |
| polymarket-market-maker-bot_3.2.zip | a3d51eb06cc59b20552932665f14928f |
| BOF_Spawn-v3.6.zip | 3bd066b091fb95bb77b804338de74ebf |
| pubg-elite-mod-toolkit_3.5.zip | 5db6399e932a03e6fd9b7840ff8e6394 |
| Termux-Tor-IP-Rotator_2.1.zip | d379602a7d05c52c16bfdbfa579b3877 |
| No-one.zip | f9804c740bbad714c545c9f13736ce2a |
| Xxx.zip | b9ebc047601632b9d55a6f2fd76ecd74 |
Other Files
| File Name | Hash |
| Launcher.cmd | bfa702a87c14dc0b6f4bc213443749bd |
| libgcc.txt | aaac548d0666c5e8496e52213f8d48cb |
| clib.txt | dd76846d31e2aa2f5e8c70588d51c2df |
| Launch.cmd | 7eb6dac341fad662bf2bedfce7a7fdce |
| resource.txt | 6efced7852101ebb3fdc35457a495852 |
| Launch.cmd | 4ed0a94ac7f2cdaa1d5e87e06722ef6f |
| cert.txt | cd99e68ec1aae84a9041d7cf17ffa2f2 |
| Launch.cmd | 29f3219d0882a77fd498c8339fe06f07 |
| cdef.txt | 6c731afbedf2098d4e6b77388b894bec |
| Launch.cmd | d9ce757006ea87762599130eb5a477ce |
| arch.txt | a75c65b4e56f7321d3658cb92ced94b7 |
| Launch.cmd | e31c01aad7fd46650088ff6250aa15b1 |
| socket3.lua | 7c51647f6cec9ae51df31a9d2b00f103 |
| style.css | 9359361ce5373d80bd7efdd3b64db419 |
| lua.exe | 6e83697deef4b4d6ee742ef31a3cac61 |
Addresses
| Type | Value |
| Contract Address | 0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc |
| Wallet Address | 0xdE275aD38C3352A7cb6b0d3efcBF45900c9716f2 |
Frequently Asked Questions
It is a supply chain attack where threat actors upload malicious tools disguised as legitimate software on GitHub. When a developer downloads and runs the tool, it deploys the StealC 2.0 infostealer to steal browser passwords, session cookies, and cryptocurrency wallets.
It uses a technique called "binary padding." The malware artificially inflates its own file size to over 1GB with junk data. Many antivirus programs are configured to skip scanning extremely large files to preserve system performance, thus allowing the malware to slip by undetected.
The malware queries public blockchain smart contracts to dynamically find the current address of the attacker's Command & Control (C2) server. This allows the hackers to constantly change their server address, evading firewalls and blacklists.
Avoid storing passwords in browsers and use a dedicated password manager. More importantly, transition from traditional antivirus to modern, behavior-based security solutions (like EDR) that can detect anomalous process execution regardless of file size.
