{
	"id": "cbc2bf98-c092-488f-97c4-e7095850bf31",
	"created_at": "2026-05-06T02:03:18.216806Z",
	"updated_at": "2026-05-06T02:03:52.776344Z",
	"deleted_at": null,
	"sha1_hash": "97b86a643e25232e8156e6b748922c33e28cd8a0",
	"title": "Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 207649,
	"plain_text": "Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories\r\nDelivered SmartLoader and StealC\r\nBy Maurice Fielenbach\r\nPublished: 2026-04-18 · Archived: 2026-05-06 02:01:29 UTC\r\nExecutive Summary\r\nWe uncovered a malware distribution campaign built around fake GitHub SmartLoader StealC staging, where\r\ncloned open source repositories are used to deliver a LuaJIT-based loader and a follow-on stealer.\r\nWe identified 109 malicious GitHub repositories across 103 accounts that impersonate legitimate projects and\r\nredirect users to embedded ZIP files containing a LuaJIT-based SmartLoader stage.\r\nThe campaign appears to be operated by a single threat actor or tightly controlled cluster based on infrastructure\r\noverlap, synchronized repository updates, and consistent tooling.\r\nThe staged malware is a Prometheus-obfuscated Lua script executed by LuaJIT. In the samples we analyzed, it\r\nuses the Windows FFI to call native APIs directly, hide execution, fingerprint the host, capture screenshots, and\r\nexecute follow-on content in memory.\r\nSmartLoader resolves its active C2 through a Polygon smart contract, allowing the operator to rotate infrastructure\r\nwithout rebuilding the loader or updating every staged sample.\r\nCollected host data is exfiltrated to bare-IP C2 servers via multipart POST. The server then returns encrypted\r\nfollow-on instructions and tasking.\r\nPersistence is established through two scheduled tasks with separate recovery paths. One executes a cached local\r\ncopy. The other re-downloads a fresh Lua stage from GitHub.\r\nThe same GitHub staging repository also hosted an encrypted StealC payload. SmartLoader’s PE parsing and in-memory execution path are consistent with its use as the delivery and reflective loading layer for that follow-on\r\nstealer.\r\nBased on PE compilation timestamps, ZIP metadata, and GitHub commit history, the campaign has been active\r\nfor at least seven weeks, with new repositories still appearing as of 2026-04-12.\r\nAfter someone impersonated one of our recent projects, PyrsistenceSniper, on GitHub, we uncovered a broader malware\r\ndistribution campaign built around cloned open source repositories. The operator copies legitimate projects, republishes\r\nthem under different accounts, strips the README of its technical content, and replaces it with prominent download\r\nbuttons. Those buttons point to ZIP files hidden inside the repository tree rather than to GitHub releases or tagged source\r\npackages.\r\nThe source code is usually left mostly intact. That is what makes the lure work. At a glance, the repository still looks\r\nlegitimate. The actor changes only the parts that influence user behavior: the README, the repository metadata, and the\r\nembedded archive. A user who trusts the project name or skims the source tree can easily be pushed toward a malicious\r\ndownload.\r\nAs of 2026-04-12, we identified 109 malicious repositories across 103 GitHub accounts. Based on PE compilation\r\ntimestamps, ZIP metadata, and GitHub commit history, the campaign has been active for at least seven weeks. New\r\nrepositories continued to appear during our review.\r\nThe infection chain is simple and effective. The victim extracts the ZIP and launches a batch file. That launcher starts a\r\nLuaJIT interpreter with an obfuscated Lua script as its argument. In the samples we analyzed, that SmartLoader stage hides\r\nexecution, performs a native anti-debug check, resolves its current C2 through a Polygon smart contract, downloads a\r\nfunctionally overlapping second-stage Lua script from a separate GitHub repository tied to the same campaign, fingerprints\r\nthe host, captures a screenshot, exfiltrates the collected data, and receives encrypted tasking in return. SmartLoader also\r\ncontains the structures and execution primitives needed to decrypt and load PE payloads directly in memory, which is\r\nrelevant because the same staging repository also hosted an encrypted StealC sample. It then establishes persistence through\r\ntwo scheduled tasks designed to survive partial cleanup.\r\nThe Lure – How the Fake GitHub Repositories Work\r\nThe operator appears to target repositories that are beginning to gain traction. New projects with recent activity and growing\r\nstar counts are attractive because users are actively searching for them. By cloning those repositories under different\r\naccounts, the fake copies can appear in search results beside the real project.\r\nComparison between the fake PyrsistenceSniper repository and the legitimate original, showing identical\r\nnaming but modified content.\r\nComparison between the fake PyrsistenceSniper repository and the legitimate original, showing identical\r\nnaming but modified content.\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 1 of 17\n\nThe README modifications follow a consistent pattern. Technical content is stripped out. Installation steps, prerequisites,\r\ndevelopment notes, and contribution guidance are removed. In their place, the actor inserts prominent download buttons\r\nusing shields.io badges, colored markdown buttons, and direct links. Every link in the README points to the same ZIP file\r\nburied deep in the repository.\r\nMultiple download links and buttons inserted into a malicious README, using shields.io badges and\r\ncolored markdown to drive clicks toward the embedded ZIP.\r\nMultiple download links and buttons inserted into a malicious README, using shields.io badges and colored\r\nmarkdown to drive clicks toward the embedded ZIP.\r\nThe actor also modifies repository descriptions and topics. In several cases, unrelated SEO terms were appended to increase\r\nsearch visibility. Combined with a cloned codebase and a plausible-looking repository structure, those additions help the\r\nfake project appear credible long enough to drive a download.\r\nExample of shields.io download badges used across multiple malicious repositories, all pointing to\r\nembedded ZIP files.\r\nExample of shields.io download badges used across multiple malicious repositories, all pointing to embedded\r\nZIP files.\r\nWe assess this activity is primarily tied to a single threat actor or tightly controlled cluster. The strongest signals are\r\noperational consistency and infrastructure overlap. Repositories across different accounts are updated in batches when\r\ndownload links rotate to new ZIP files. The archive layout, README structure, staging pattern, and malware family remain\r\nstable throughout the campaign. That points to centralized control and at least partial automation.\r\nUpdated README containing a new download link to a different ZIP file, showing the link rotation\r\npattern.\r\nUpdated README containing a new download link to a different ZIP file, showing the link rotation pattern.\r\nSeveral accounts host multiple malicious repositories at once. The profiles themselves appear mixed. Some were created\r\nrecently and show little or no prior history. Others display older benign contributions before pivoting into malware\r\ndistribution.\r\nMultiple malicious repositories from a single user account, each showing prominent download buttons in\r\nthe README.\r\nMultiple malicious repositories from a single user account, each showing prominent download buttons in the\r\nREADME.\r\nAcross the accounts we reviewed, recent contribution activity often appeared clustered rather than organically distributed\r\nover time. That pattern may reflect the operator’s routine maintenance workflow, including repeated README and link\r\nupdates across staged repositories, rather than meaningful long-term development activity.\r\nGitHub user profile showing crafted activity since mid-March, designed to make the account appear\r\nlegitimate and active.\r\nGitHub user profile showing crafted activity since mid-March, designed to make the account appear\r\nlegitimate and active.\r\nThe ZIP Files – Bundled SmartLoader Archives\r\nAll 109 identified repositories contain a single ZIP file buried deep in the directory structure. The path often resembles an\r\nordinary project archive, such as  repo/some/deep/path/project-name-version.zip . That placement appears deliberate,\r\nintended to make the archive blend into the repository tree rather than stand out as the actual lure.\r\nZIP file placed deeply inside the repository directory structure, disguised as a legitimate release artifact.\r\nZIP file placed deeply inside the repository directory structure, disguised as a legitimate release artifact.\r\nThe ZIP contents are consistent across the campaign. Samples contain either three or four files: a one-line batch launcher, a\r\nrenamed LuaJIT executable, an optional  lua51.dll , and an obfuscated Lua script stored under a benign-looking  .txt  or  .log  filename.\r\nContents of a typical malicious ZIP file showing the batch launcher, LuaJIT executable, and obfuscated Lua\r\npayload.\r\nContents of a typical malicious ZIP file showing the batch launcher, LuaJIT executable, and obfuscated Lua\r\npayload.\r\nWe identified six cosmetic variants across all repositories. Some use four files, with a small frontend that dynamically\r\nloads  lua51.dll . Others collapse to three files by statically linking the Lua runtime. Executable names rotate between\r\ngeneric labels such as  loader.exe ,  unit.exe ,  boot.exe  and  java.exe . Script filenames vary\r\nbetween  .txt  and  .log  extensions. However, the execution model is the same in every case.\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 2 of 17\n\nAcross all variants, the executables are LuaJIT 2.1.0-beta3 interpreter builds compiled as GUI subsystem PEs, so no console\r\nwindow appears when they run. The malicious logic sits in the bundled Lua script. File-level reuse is common. We observed\r\nbyte-for-byte identical ZIP files reused across repositories in the same batch. ZIP timestamps ranged from 2026-02-\r\n19 to 2026-04-05.\r\nTechnical Analysis\r\nExecution Chain\r\nThe initial launcher is minimal. It is typically a single-line batch file:\r\nstart \u003cexe\u003e \u003cpayload\u003e\r\nThe use of  start  detaches the new process, while the GUI subsystem flag suppresses the console window. The Lua stage\r\nthen calls  GetConsoleWindow  and  ShowWindow(SW_HIDE)  through LuaJIT FFI as a second layer of concealment. From the\r\nvictim’s perspective, nothing visible happens on screen.\r\nContent of the batch launcher showing the single-line start command.\r\nContent of the batch launcher showing the single-line start command.\r\nThe Executables\r\nAll observed executables are LuaJIT 2.1.0-beta3 PE64 GUI builds. None were signed and none contained version metadata.\r\nIn the four-file variants, a small frontend loads  lua51.dll  dynamically. In the three-file variants, the Lua runtime is linked\r\nstatically. We observed multiple compilation generations with regular refreshes, which aligns with the repeated ZIP and link\r\nrotation visible across the campaign.\r\nThe Obfuscated Lua Scripts\r\nAll staged Lua scripts are single-line files between roughly 296 KB and 309 KB, obfuscated with Prometheus. Constants\r\nare hidden behind arithmetic identities, strings are permutation-encoded, variable names are randomized, and execution is\r\nrouted through a custom VM dispatcher. C2 addresses and download URLs are stored inside encrypted blobs that require\r\nruntime decryption.\r\nExcerpt of a Prometheus-obfuscated SmartLoader Lua script, showing the single-line format, randomized\r\nidentifiers, encoded strings, and VM-style control flow.\r\nExcerpt of a Prometheus-obfuscated SmartLoader Lua script, showing the single-line format, randomized\r\nidentifiers, encoded strings, and VM-style control flow.\r\nThe obfuscation is not decorative. It is central to how SmartLoader delays analysis and hides operational details until\r\nexecution.\r\nSmartLoader Behavior\r\nSmartLoader uses LuaJIT’s foreign function interface to call the Windows API directly from Lua. Early in execution, it\r\nloads  ffi  and declares a broad set of native structures and function prototypes, giving the script access to memory\r\nmanagement, process control, windowing, and graphics APIs without requiring additional native components on disk.\r\nLuaJIT FFI declarations used by SmartLoader to access Windows APIs directly, including memory\r\nmanagement, process control, window handling, and graphics functions.\r\nLuaJIT FFI declarations used by SmartLoader to access Windows APIs directly, including memory\r\nmanagement, process control, window handling, and graphics functions.\r\nThis execution flow is consistent with known SmartLoader behavior. It hides its console window, performs an anti-debug\r\ncheck using native shellcode copied into executable memory, resolves its C2, downloads a second Lua stage from GitHub,\r\ncaptures a screenshot through the GDI pipeline, fingerprints the system, and exfiltrates the collected data to C2.\r\nThe FFI declarations also include PE header and export parsing structures together with thread creation primitives, which is\r\nconsistent with SmartLoader’s known support for in-memory PE loading. In that context, the observed behavior matches\r\nSmartLoader’s established role as a loader that supports host profiling, data collection, persistence, and follow-on execution.\r\nBlockchain Dead Drop Resolver\r\nSmartLoader does not hardcode its live C2 address directly in the Lua stage. Instead, it performs a JSON-RPC  eth_call  against  polygon.drpc.org  and queries the Polygon smart contract\r\nat  0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc  using function selector  0x3bc5de30 .\r\nSmartLoader blockchain request, showing the JSON-RPC eth_call request to polygon.drpc.org and contract\r\nquery.\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 3 of 17\n\nSmartLoader blockchain request, showing the JSON-RPC eth_call request to polygon.drpc.org and contract\r\nquery.\r\nThe contract returns an ABI-encoded string containing the active C2 URL. During analysis, we observed two returned\r\naddresses:\r\nhttp://144.31.57.65\r\nhttp://144.31.57.67\r\nBoth sit in the same  /24 .\r\nDecoded contract request returning the active SmartLoader C2 address.\r\nDecoded contract request returning the active SmartLoader C2 address.\r\nThis functions as a dead drop resolver. The operator can rotate infrastructure by updating a single on-chain value rather than\r\nrebuilding the malware, modifying every staged sample, or changing DNS. It is a practical way to decouple malware\r\ndistribution from C2 management and reduce the value of single-node takedowns.\r\nC2 Communication\r\nOnce SmartLoader resolves the active server, it sends a  POST  request to  /api/\u003cbase64_victim_id\u003e  on the bare-IP C2. The\r\nrequest body is  multipart/form-data  and includes host metadata together with collected data from the infected system. In\r\nthe samples we analyzed, the exfiltrated content included screenshots and host fingerprinting details.\r\nCaptured SmartLoader HTTP POST request to the bare-IP C2, showing the multipart upload structure used\r\nto send host metadata and collected data.\r\nCaptured SmartLoader HTTP POST request to the bare-IP C2, showing the multipart upload structure used to\r\nsend host metadata and collected data.\r\nThe server responds with JSON containing two encrypted fields:\r\n{\r\n \"loader\": \"\u003cbase64-encoded encrypted instructions\u003e\",\r\n \"tasks\": \"\u003cbase64-encoded encrypted task list\u003e\"\r\n}\r\nFollow-on task completion is later reported back through  POST /task/\u003cbase64_victim_id\u003e , which returns HTTP 204.\r\nPersistence\r\nSmartLoader establishes persistence through two daily scheduled tasks with separate recovery paths. The task names and\r\nlocal staging directory names vary across samples, but the persistence design remains consistent. In the samples we\r\nreviewed, names such as  AudioManager_ODM3  and  OfficeClickToRunTask_7d7757  were used to masquerade as legitimate\r\nsoftware activity.\r\nIn one path, SmartLoader copies the LuaJIT binary, the downloaded second-stage Lua file, and  lua51.dll  into a directory\r\nunder  %LOCALAPPDATA%  and executes the locally cached Lua stage on subsequent runs. That path continues to work even if\r\nthe GitHub staging repository is removed after the initial infection.\r\nIn the second path, SmartLoader copies the interpreter and original payload components into a separate directory\r\nunder  %LOCALAPPDATA% , but does not rely only on the cached copy. On each execution, it reaches back to GitHub,\r\ndownloads a fresh encrypted staging file, decrypts it in memory, and continues execution with the recovered Lua stage. That\r\npath restores access if the local second stage is deleted or corrupted.\r\nScheduled tasks visible in Task Scheduler, masquerading as audio management and Office Click-to-Run.\r\nScheduled tasks visible in Task Scheduler, masquerading as audio management and Office Click-to-Run.\r\nSecond-Stage Staging on GitHub\r\nThe second-stage repository observed in this infection chain was  deepanshugoel99/long , a sparse GitHub repository with a\r\nsingle commit and minimal visible activity. It hosted two encrypted staging files under  long/long/  rather than plaintext\r\npayloads.\r\nThe file SmartLoader actively retrieved\r\nwas  https://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message1.txt .\r\nThat file is not a readable Lua script on its own. To understand what it contained, we traced the staged-content decryption\r\nroutine in SmartLoader and recovered the key material used for the GitHub-hosted blobs. Applying that same routine\r\nto  message1.txt  recovered  a.lua , a functionally overlapping Lua stage.\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 4 of 17\n\nEncrypted second-stage staging file message1.txt hosted in the attacker-controlled GitHub repository.\r\nEncrypted second-stage staging file message1.txt hosted in the attacker-controlled GitHub repository.\r\nThat recovered Lua stage behaved almost identically to the original SmartLoader Lua payload. It resolved the same C2\r\nthrough the same Polygon contract, communicated with the same infrastructure, and created the same scheduled tasks. The\r\nsmall differences were operational and packaging-related, not architectural. In practical terms,  a.lua  is best understood as\r\na redundant SmartLoader stage used for persistence and re-delivery.\r\nStaged StealC Payload\r\nA second encrypted file,  message2.txt , was present in the same staging repository and was fetched during the observed\r\ninfection chain. We analyzed it using the same staged-content decryption logic and key base recovered from SmartLoader\r\nand used to decode  message1.txt . That process recovered a packed x64 PE consistent with StealC. The decrypted binary\r\nhas SHA256  87de3e5a8ef669589c421220cd392ae8027a8f8d3cd97d35ac339f87dcff12c8  and a PE compilation timestamp\r\nof 2026-04-10 20:06 UTC, roughly twelve minutes before the staging repository was created.\r\nOperationally, that matters because it matches the execution model SmartLoader already exposes. The Lua stage defines PE\r\nparsing structures, allocates executable memory, resolves imports, and starts execution using thread creation primitives. In\r\nother words, the same loader used to retrieve and execute encrypted Lua content from GitHub is also capable of decrypting\r\nand reflectively loading a PE such as StealC without writing it to disk.\r\nDetection\r\nGitHub raw content downloads — Monitor for outbound requests\r\nto  raw.githubusercontent.com  and  github.com  that fall outside established developer baselines. This detection\r\ncarries inherent noise in engineering-heavy environments. It is most viable in organizations that already enforce strict\r\negress controls and maintain an approved software inventory. Without that baseline, expect a high false-positive rate\r\nthat limits operational value.\r\nBatch-launched unsigned executables with script arguments — Look for  cmd.exe  process creation events where\r\nthe command line includes  start  followed by an unsigned executable and an argument ending in  .txt  or  .log .\r\nExecution from user-writable locations such as  %TEMP% ,  Downloads , or paths consistent with recently extracted\r\narchives increases confidence. The combination of an unsigned binary, a non-standard script extension, and a\r\ntransient directory is unusual enough to warrant investigation even in noisy environments.\r\nLua runtime loaded from non-standard paths — Track DLL load events for  lua51.dll  originating from\r\ndirectories outside expected software installation paths such as  Program Files . Loading\r\nfrom  %TEMP% ,  %LOCALAPPDATA% , or arbitrary user profile subdirectories has no legitimate justification in most\r\nenterprise environments and directly reflects the staging layout used throughout this campaign.\r\nBlockchain RPC resolution from non-browser processes — Identify DNS queries or outbound connections\r\nto  *.drpc.org  and known Polygon or Ethereum JSON-RPC endpoints initiated by processes other than web\r\nbrowsers. Outside of cryptocurrency wallets and blockchain development tooling, this activity has a very narrow\r\nlegitimate footprint and serves as a reliable early indicator of dead drop resolver behavior.\r\nSmart contract C2 resolution query — Inspect HTTP POST bodies for  eth_call  requests targeting contract\r\naddress  0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc  or referencing function selector  0x3bc5de30 . This is a\r\nhigh-fidelity indicator directly tied to the observed infrastructure and is unlikely to appear in benign traffic.\r\nMultipart POST to bare-IP addresses — Flag outbound  multipart/form-data  HTTP POST requests directed at\r\nbare IP addresses where the URI path starts with  /api/ . The absence of a hostname, combined with multipart\r\nencoding and a generic API path, is a pattern rarely seen in legitimate application traffic and aligns with\r\nSmartLoader’s exfiltration behavior.\r\nTask completion callbacks to bare-IP destinations — Monitor for HTTP POST requests to URI paths\r\nmatching  /task/  on bare-IP servers. In this campaign, SmartLoader uses this endpoint to confirm completed\r\ntasking. The combination of a bare IP, a short predictable path, and a POST with no meaningful response body is\r\ndistinctive.\r\nScheduled task creation referencing %LOCALAPPDATA% — Alert on  schtasks.exe /create  invocations\r\nwhere the scheduled action points to an executable under  %LOCALAPPDATA% , particularly when the associated\r\ncommand-line arguments include  .txt ,  .log , or  raw.githubusercontent.com . The creation of two or more such\r\ntasks within a short window is a strong compound signal. After baselining legitimate scheduled task behavior, this\r\ndetection should produce minimal noise in most environments.\r\nZIP archives pairing Lua runtime components with batch launchers — Detect the co-occurrence\r\nof  lua51.dll  or a LuaJIT interpreter binary alongside  .bat  or  .cmd  files within the same archive or newly\r\ncreated directory tree. This combination is structurally consistent across every observed variant in the campaign and\r\nis uncommon enough in legitimate software distribution to serve as a reliable static or on-access indicator.\r\nPrevention\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 5 of 17\n\nThis campaign depends on a user downloading a ZIP from a fake repository and running the included launcher, which makes\r\nsource verification the most effective control. Users should validate the publisher and prefer official releases over archives\r\nburied in the repository tree. Traffic inspection at the proxy or TLS layer helps surface staged payload retrieval and bare-IP\r\nexfiltration. Application control blocks unsigned interpreters and script launchers from running out of user-writable paths.\r\nEgress rules that block Polygon and other blockchain RPC endpoints disrupt the dead drop resolver, and restricting raw\r\nGitHub downloads limits second-stage staging.\r\nWrap Up\r\nThis campaign is effective because it keeps the lure simple and the execution chain quiet. The operator cloned 109\r\nrepositories across 103 accounts, replaced legitimate documentation with download funnels, and delivered a LuaJIT-based\r\nSmartLoader stage that hides execution, resolves C2 through a blockchain dead drop, collects and exfiltrates host data,\r\nmaintains persistence through two independent scheduled tasks, and supports in-memory follow-on payload execution.\r\nThe technical choices are pragmatic. GitHub provides both initial delivery and second-stage staging. A Polygon smart\r\ncontract provides an updateable C2 resolver. Bare-IP servers handle collection and tasking. LuaJIT FFI provides direct\r\naccess to native APIs without requiring additional dropped components. And the same staging workflow can support both\r\nredundant Lua stages and encrypted PE follow-on payloads such as StealC. Together, those choices make the campaign easy\r\nto replicate, easy to refresh, and harder to disrupt through single-point takedowns.\r\nWe will keep monitoring and submitting removal requests. But the broader lesson is straightforward. Repository removal is\r\nreactive. Impersonation is cheap, trusted project names are easy to reuse, and fake repositories can be recreated faster than\r\nthey are taken down. Maintainers should monitor for lookalike projects, and users should verify the source of any GitHub-hosted tool before running it.\r\nIndicators of Compromise\r\nFile Hashes\r\nIoC Type Category Filename\r\n2273702dfbcfd96a6ed7bdb42ba130291b653869256ec1325bc7fe30e8d9b70a SHA256 ZIP archive Sniper_Pyrsistence_v2.6.zi\r\n2d72abb33b8428a3a73fb64a03e6ac84595c4b1636f190f2936fadec3c8792f6 SHA256 ZIP archive founders-kit-3.0-beta.5.zi\r\nb04db6cae604d2ab1542e3c0cf1a4a3bb8d76562556f7275efe25bb90fc1da19 SHA256 ZIP archive score_global_health_assist\r\nd92ac938494c2c74c73f3ca28c5c7148d0a03024b46630192a9348259b7b3665 SHA256 ZIP archive Player_One_3.7.zip\r\n3299b85734e03cbb767d10f89384f666c35d6863198a7c6c0004ef19fcc76bc3 SHA256 ZIP archive nightlights-district-india\r\nc324560d4310849fd6b86e126514b20512905eee7ee94a2152f4314bb4055649 SHA256 ZIP archive dumper-cpp-1.7.zip\r\n2c3c4f1e3401c7baa804c21164b17a2ab50b3462ab09fcdccec35c8faa8e17fb SHA256 ZIP archive client-qclaw-wechat-3.5-be\r\n58b98acb7dc26d8130c20b38ad040e5e7042eac38f12205248595697143c4297 SHA256 ZIP archive skills_product_ai_v3.9-bet\r\n10cbcb3fb25205a53ea9fe4fad46f45a349f7da8de22dd53a1ce16a920059720 SHA256 ZIP archive skill_uncodixify_v3.8.zip\r\nbc95563880f17f4c3fc0fd8d3f7abc37b14ffb3daa627f92d5bd0b4f457d54e2 SHA256 ZIP archive commerce-agent-enstatite.z\r\n13690a008d375908399e7f0bf8d1b4733498f1145166c7788fb9966c3b551b2f SHA256 ZIP archive Server-Pirate-LL-ferfet.zi\r\n12a09f9425cd4058956214b237ec82577c7b9ae15f323c28d3b4ad846d0d2f6b SHA256 ZIP archive ts-symphony-chloromethane\r\nb599a00d1226f6e0d433bf9be89958d6d4600a365c8e16bd86b4603e2552bf37 SHA256 ZIP archive Software_v2.2.zip\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 6 of 17\n\nIoC Type Category Filename\r\n998e14a100d1f541f9fd59f4e58dd86e76fe7a105b02646d3487f18583d46c42 SHA256 ZIP archive calendar-dashboard-task-2\r\nebe63bd7715e7b2ff0b25c9bb6540a904f7195fb9fb2d405bd0cb5c0c4d34476 SHA256 ZIP archive Software-3.2.zip\r\n3217ae928395e00d873cccdf2adfa7828fe319fc84501453e702af91a0af2596 SHA256 ZIP archive Token-Stream-2.2.zip\r\ne12e7d4d7c5ccf825c9c0ba3af32a9d575d1624ad6e3998e7a71c3e0939c0d61 SHA256 ZIP archive Download-Ninja-Full-Ripper\r\n012b49c7f60bbe0501e61fc62c9b7dd69be9bbf15cb36a840a293b3cb066b865 SHA256 ZIP archive agent_workspace_v1.5.zip\r\n275275b5099a63724b6f525c1e9de082829e710078e8605c0286998b5a02e75d SHA256 ZIP archive autotrader-openclaw-v3.1-b\r\n7e107cc2db66be4c9a90c2ef81f21ae2893962e1040531dff0305d9283f27387 SHA256 ZIP archive Stealer_Hades_1.4-beta.3.z\r\n768c28bff5e2ccd991a4a5cbfe3331015e3262cbc007829631483b46aa582cbc SHA256 ZIP archive Impacket_Reference_1.5.zip\r\n6b518855404b7281246aab93a46288b25f0cb0f09cdeb820e677ef615bf3fda4 SHA256 ZIP archive Open-RL-Claw-3.9.zip\r\n572acf0d7a3801b9bc41f626bac781d75ea1f99770b176079ae5f9a347c09b78 SHA256 ZIP archive Amazon_Analysis_Product_Ex\r\n4b3231da6ba13aa1e1eb8dd371e287bc18505273bca5bda80065c60b024549b8 SHA256 ZIP archive MCP_EVOKOR_3.4.zip\r\n1aacc8cb9694293dc152891fc26de64a2061b31a066d297373cdc87da54b6fd8 SHA256 ZIP archive Audio_Auditor_v1.8.zip\r\nd142be1fc9a7eec7ec26aeea75e5f7a175c4ab9b2ee36b958280873bc3861b2e SHA256 ZIP archive smart_miner_money_2.0.zip\r\na50c4c26597cb4dc3ce340e1de0ec929b4a7ab0954a6ba214a32f158f01d6a8a SHA256 ZIP archive Gov_Tracker_Blocklist_madn\r\n9de5dc4192a9dea43d9ff6289bb276bb3f2c244c15821b6d31fab90258b23149 SHA256 ZIP archive Glider-UI-v2.7.zip\r\n2149a0c948d87f6a80ebb4abddf742c2383f59c7558a313caa0c0fd3bd3cdeef SHA256 ZIP archive Enhance-Prompt-1.6.zip\r\na6fce76371d8b950b22bbea5a94d5688c19368979d06b2ef3c41f18ce6ada4c3 SHA256 ZIP archive waf-mango-1.2.zip\r\na90898926236de8b574b50ef8c6c0411b193383d6db2214d73ead27c65867fd5 SHA256 ZIP archive Ultra-Clopix-Delta-v2.7.zi\r\n44d5de84ee0c31517d114640ba9b9b307ea9e1ec4e591de42cbb4d07ceb5e6c3 SHA256 ZIP archive App-Vesper-AI-2.9.zip\r\nf5bdf3d6c1376476b0d9eb0e74aa5aa8ccc7378068531c8346d76fbef04c6a6e SHA256 ZIP archive hub_premium_access_marketm\r\n5b09803d2acbec734d9c88496f9590bb7cbaf5392607ef0f20f79fe177f7fd83 SHA256 ZIP archive Dumper_Zygisk_Il_Cpp_v3.4\r\nd8469b109bb22ad367c19971e1065074527af144d4c1e7d7a4cfb0f2d6e12767 SHA256 ZIP archive dashboard-pump-fun-v2.6.zi\r\n9f6368bccedd005075fe991719719b0df5af22df697cab76aa6b4392d38394b1 SHA256 ZIP archive bread_simulator_run_toolki\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 7 of 17\n\nIoC Type Category Filename\r\n0a4bce0f0461335585550598ff33c40a389465f7d0094212bee40b7f525de123 SHA256 ZIP archive hoshan-vehicles-2.3.zip\r\nf6d10e879324c36914002ebd989e1a6fdc50e29257078a95e975f18b42f69836 SHA256 ZIP archive ecommerce_theme_gatsby_v3\r\nfad3d429172932b72e50f52af169a80439464e3538d97810509090e2e6cdf32a SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nloader.exe\r\nbff0904456e3151221d29ed1d7c88fc31587efbdfb28817cdcb7ec7f20cade21 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nselector.exe\r\nbbd438d3d7a59152f1dd5e45bb8d22ee1c07f95cfe42cebbe756aaf4feadc875 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nunit.exe\r\nd1557bc3f5d8542f9b7f8e80b02283397d2e437386a6662251c4fc7342167cda SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nunit.exe\r\n167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nload.exe\r\n8b42ca9d05badf0e7327d816a56e5516431ae34627da68e12ae9347f365b2668 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\ncompiler.exe\r\nd56213d08fb10c880f17e1a262bf1176cf234d1fc591188171e7be9cd856eb12 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nutil.exe\r\n3595a6b226ce4daa0a28edea152b3a887c01f6323db1d082f6568c995cdefb55 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nluajit.exe\r\ne69873a3ef03b289aba8a0ec7130247dc5f2a3ce8c3b647b44518a899f39f789 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nluajit.exe\r\nf3e34c9e36f3be065d80d456281d31dd1cc85eb4980db7fa8c1b0eb6f29c25d8 SHA256\r\nSmartLoader LuaJIT\r\ninterpreter\r\nluajit.exe\r\n09e0f7616dfd2f7eb2876f6ef7331d6dbc78775acd594a94b0397a56717d1fcc SHA256\r\nSmartLoader Lua\r\nruntime DLL\r\nlua51.dll\r\n440ceb0dc5911faca54ed9a4dd186dad3d006ae4f52d0bb7d1e4b4edd8c3693a SHA256\r\nSmartLoader Lua\r\nruntime DLL\r\nlua51.dll\r\ne450152d8dd9f7d2d92dbd53461a38ee8f154b69b2558ed43b5d3f603a43240a SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nproto.txt\r\n76afe60e675e68906a2de61d45c46aa6502fe7f9c298260c226a4382744f4212 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nfunc.txt\r\n25aff351f5b4195f33e2fb862f71e3668e699f2311e7844e277b8256a6cb47c0 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\npackage.txt\r\n54bbd79ed1ee26d3e7aa079963ba26c36aa683c01cc8b05b6d255da8634df006 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\npackage.txt\r\n830ec7352972fd1eb24fcaf72349ef9a27dd9f26f24552d6b68b87ffeada1212 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\npackage.txt\r\nf9436ccb986760ca379d6cd2f00726e032a1d9c250a9bd261d40d98b914e7ef9 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\ndynasm.txt\r\n3989cdf958d258244f3a72bac594214112ffe1008d4d81233a5911482dd302ca SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nbuff.log\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 8 of 17\n\nIoC Type Category Filename\r\nc7b71a992c6ca1467164b643136d986c0eec28548f30533456a3ea0f442c85a8 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nbuff.log\r\n59c2115caf3104184de6cbc64c4029886b7302e1fa58acc910a2c567222e8616 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nstatic.txt\r\n8cede35b80b1deaf732c2b178d908f91b3e7a0c114d06dfae9075b8a9bf78b8f SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nuix.txt\r\nd067cacea4ec623dc715c27ff7568d14988af0be1f3db32d332f27744114f9ba SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\nx64.txt\r\na93ac4fb3f9dadc22f7b7f1877bc99b84a77fe3bbe560bdd20bbd7c4b6f9c1d6 SHA256\r\nSmartLoader\r\nobfuscated Lua\r\npayload\r\ntree.txt\r\ne1e6e28bc665b242fd4b496caf2542042d5720e87ea74551735664c202c486c7 SHA256\r\nSmartLoader\r\nlauncher script\r\nLauncher.bat\r\n3658fc38c10867e30e3c5c98a7a392e452a4ba497c8a674ff26554bc09f032b0 SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.cmd\r\nb0f0b6e38f77c518ebfaf691d729636d82cc59dc2a329d7454e11f74a2cb2d3f SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.cmd\r\ncd4d2b6dc9c764c3f2b2b003bce035053a8ce81420c7ea886c76611219cae4ae SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.cmd\r\n7e8bd9ba64fcbd1cb753baa2f7bc8d5d7f3e91552bcdc9ec1ec04edd4916ff33 SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.cmd\r\naf6f59bd3caee5daa2d6765dd8c1bc167060a9681617ee1e2aff32f1eda3477c SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.cmd\r\na91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0 SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.bat / App.bat\r\nc3b56d68c80c4a6a9879c45a7761a538e3546644623af1ee469d3b70130fa0cd SHA256\r\nSmartLoader\r\nlauncher script\r\nApplication.bat\r\nce1e33483d353200a266b3bc383ccf500e5a760c6dcd8218747260f5bbe39509 SHA256\r\nSmartLoader\r\nlauncher script\r\nLauncher.cmd\r\n592ec6f529721acbe07100c5386c58ca20fddfee7ac90280943fc2a61661e2be SHA256\r\nSmartLoader\r\nlauncher script\r\nLaunch.bat\r\n212C76DAF355EDE116EB04D4F9D08A112D07940A14DC248BC568FF1BA0A64E18 SHA256\r\nEncrypted second-stage on GitHub\r\n( message1.txt )\r\n2026-04-12\r\n87de3e5a8ef669589c421220cd392ae8027a8f8d3cd97d35ac339f87dcff12c8 SHA256\r\nStealC packed\r\nbinary decrypted\r\nfrom  message2.txt\r\n2026-04-12\r\nNetwork Indicators\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 9 of 17\n\nIoC Type Category\r\nL\r\nSe\r\n144.31.57.67 IPv4\r\nSmartLoader\r\nC2,\r\nSERVHOST-AS, United\r\nKingdom\r\n20\r\n04\r\n144.31.57.65 IPv4\r\nSmartLoader\r\nC2,\r\nSERVHOST-AS, United\r\nKingdom\r\n20\r\n04\r\n213.176.73.149 IPv4 StealC C2\r\n20\r\n04\r\nhttps://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message1.txt URL\r\nSecond-stage\r\nLua payload\r\nhosted on\r\nGitHub\r\n20\r\n04\r\nhttps://raw.githubusercontent.com/deepanshugoel99/long/refs/heads/main/long/long/message2.txt URL\r\nStealC payload\r\nhosted on\r\nGitHub\r\n20\r\n04\r\n0x1823A9a0Ec8e0C25dD957D0841e3D41a4474bAdc\r\nPolygon\r\ncontract\r\nBlockchain\r\ndead drop\r\nresolver\r\nreturning C2 IP\r\n20\r\n04\r\n0x3bc5de30\r\nFunction\r\nselector\r\nSmart contract\r\nmethod called\r\nto retrieve C2\r\naddress\r\n20\r\n04\r\npolygon.drpc.org Domain\r\nPolygon RPC\r\nendpoint used\r\nby SmartLoader\r\n20\r\n04\r\nPOST /api/\u003cbase64_victim_id\u003e\r\nURL\r\npattern\r\nExfiltration\r\nendpoint\r\n(multipart/form-data)\r\n20\r\n04\r\nPOST /task/\u003cbase64_victim_id\u003e\r\nURL\r\npattern\r\nTask\r\ncompletion\r\ncallback\r\nendpoint\r\n20\r\n04\r\nRepositories\r\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/stcitlab1/PyrsistenceSniper/ URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Shonpersus/founders-kit URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/therajeshpatil/home-assistant-global-health-score\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 10 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/Cherishpolyploid691/One-Player URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/eltayep2/india-district-nightlights-viirs URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/jayed50/cpp-dumper URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Arlinablind800/qclaw-wechat-client URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/amosshadowy76/ai-product-skills URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/anubhavsingh-0218/uncodixify-skill URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/AlexSilgidzhiyan/agent-commerce URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/somya-droid/Pirate-LLM-Server URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/ashiskumarnanda/symphony-ts URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/rakibul3790/mdexplore URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Cobras1934/task-calendar-dashboard URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/mohadesehfllh/whispr URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/FILDA007/TokenStream URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/halim2023/Ninja-Ripper-2.13-Full-Download URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/pandu1992/agent-workspace URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/freefire2chyko-a11y/openclaw-autotrader URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/silent-whisper/Hades-Stealer URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 11 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/Lyrothanak20/Impacket_Reference URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/sabalearning01/OpenClaw-RL URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/minullaksen/Amazon_Sales_Product_-\r\n_Revenue_Analysis_Excel\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/shripadk1999/EVOKORE-MCP URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/viktor820/AudioAuditor URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/arnautoff1/smart-money-miner URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/CobraZero969/EU-Gov-Tracker-Blocklist-by-madnesscc\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/hayate001/GliderUI URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/wtfhanin/Enhance-Prompt URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/jakariyaox-dot/mango-waf URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/AdebSamra/Delta-Clopix-Ultra URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/shmilymaria/VesperAIApp URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/AdebSamra/marketmuse-premium-access-hub URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/hayate001/Zygisk-Il2CppDumper URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/arnautoff1/pump-fun-dashboard URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/sabalearning01/bread-run-simulator-toolkit URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/eltayep2/hoshan-vehicles URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 12 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/mohadesehfllh/gatsby-ecommerce-theme URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Casheu1/perplexity-2api-python URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/usernamedoxelghk/WindsurfSwitch URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/GamerX3560/Aria-V-7.1 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/oliverkanda254/medusa-mobile-react-native URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/haren2312/medusa-mobile-react-native URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Jonaskouame/Phone-Number-Tracker URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/h4vzz/awesome-ai-agent-skills URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Sriv4/insta-hack-termux URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/renny2020/Open-UI URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/YahiaGrdh/vibe-agents URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/abuferas1262/yandex-speedtest-cli URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/CuddlyPaws22/codeclaw URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/jessevanwyk1/claude-scholar URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/ejfhgo/hacker-Toolkit URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Ksalazar29/deepseek-claw URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Pr-E/openclaw-master-skills URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 13 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/mreshuu/STForensicMacOS URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/phongdshh-debug/Ghost-MSG URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/TalangoJames/fractals URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/GH8ST007/llms_with_google_cloud URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/mohamedfaro7/Chuks-YT-Live_AI URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/mrizky214/task-runner-1771921051-1 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/sidiishan/soul.py URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Xhtira20/scraped URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Always15dppk/register URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/omkargundle/claude-usage-bar URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/fajarsm14/epic-games URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/JoOdSy/mini-apps URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/MPB0828/Greenhouse-Gas-Emissions-Forecasting-with-ARIMA-LSTM\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/twinklew9/notes2latex URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Sawyer60/Dataset_HealthHub URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/vlsienthusiast00x/Spodrue URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/IvannGonzzalez/hve-core URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 14 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/Aditya923-c/xpoz-agent-skills URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Shavan889/minisforum-ms-s1-max-bios URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/DarkSliceYT/ai-infra-index URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Seragatia/DocGenie URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/whydixit/cursor-starter URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Tawhidhere/OneRec-Think URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/rushikeshjaware/DiffusionDriveV2 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Abisheak250402/cloakbrowser-human URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Loune3213/Wazuh-Openclaw-Autopilot URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Ragulrajtcestd/LSTM-Optuna URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Tod-weenieroast366/coding-plan-mask URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/KemalFasa/discord-adapter-meme URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Bhin4787/AI-Powered-Ticket-Routing-SLA-Breach-Prediction-in-JIRA\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Jacksonsmg/SoftwareTesting-Cunit URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/linhkat3057/Valthrun URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/DIMANANDEZ/refrag URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/MichaelQDLe/CodeHive URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 15 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/VantageSolutions/ShadowTool URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Pataterustiche/tonconnect URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/cristiancctlv/recaptcha-botguard URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/marciunyielding712/openage URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Ali-Shady/claude-agent-desktop URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/2aryanZ/paper-submission-check URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Hosk9612/venutian-antfarm URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/MohamedSamiHdj/realtime-data-pipeline URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/alvfpinedo/go-prometheus-exporter URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/MrKillerq/Mini-o3 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/vickykumar11062/Replication-package-for-gender-and-regional-differences-in-scientific-mobility-and-immobility\r\nURL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/nonunion-loasa895/codapter URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/WILLIAM86-CAPTAIN/gooey-search-tabs URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/hama1981/ROBLOX-MACRO-V3.0.0 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/syedabdullahuddin/n8n-workflow-sdk-mcp URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/wanderconnect01/ika-network-skill URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/okoid721/chloroDAG URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 16 of 17\n\nIoC Type Category\r\nLast\r\nSeen\r\nhttps://github.com/Valentin6595/WhatDreamsCost-ComfyUI URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/virginiadiom2000-ai/osv-ui URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/gage6903/son-of-claude URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nhttps://github.com/Milan-sisodia-27/idl-pu3 URL\r\nMalicious\r\nGitHub\r\nrepository\r\n2026-\r\n04-12\r\nSource: https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-ste\r\nalc/\r\nhttps://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/"
	],
	"report_names": [
		"cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc"
	],
	"threat_actors": [],
	"ts_created_at": 1778032998,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97b86a643e25232e8156e6b748922c33e28cd8a0.pdf",
		"text": "https://archive.orkl.eu/97b86a643e25232e8156e6b748922c33e28cd8a0.txt",
		"img": "https://archive.orkl.eu/97b86a643e25232e8156e6b748922c33e28cd8a0.jpg"
	}
}