{ "id": "a8fc1d8f-d14d-4f72-a158-d41eeb9ff0e4", "created_at": "2026-04-06T00:10:01.25636Z", "updated_at": "2026-04-10T03:37:08.950101Z", "deleted_at": null, "sha1_hash": "b9447dab1f27ba145e95dea4e6ff0e1474cea703", "title": "Rust-Based Info Stealers Abuse GitHub Codespaces", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1089247, "plain_text": "Rust-Based Info Stealers Abuse GitHub Codespaces\r\nBy Nitesh Surana, Jaromir Horejsi ( words)\r\nPublished: 2023-05-19 · Archived: 2026-04-05 21:08:04 UTC\r\nCloud\r\nThis is the first part of our security analysis of an information stealer targeting GitHub Codespaces (CS) that\r\ndiscusses how attackers can abuse these cloud services for a variety of malicious activities.\r\nBy: Nitesh Surana, Jaromir Horejsi May 19, 2023 Read time: 5 min (1426 words)\r\nSave to Folio\r\nCloud-based developer environments allow developers to virtually code from anywhere and start right from their\r\nsmartphones, tablets, or any device with a browser and an internet connection. GitHub Codespace (CS) is one\r\nsuch feature-rich, cloud-based service from Microsoft that enables developers to build software from anywhere.\r\nAfter its availability was made public in November 2022, any GitHub user could create at least two active CS\r\ninstances and use them for free with limits on storage, processing power, and duration. CS instances are isolated\r\nvirtual machines (VMs) hosted on Azure that can be accessed using the web browser, GitHub CLI, or other\r\nintegrated developer environments (IDEs) such as VSCode and JetBrains, among others. Since any GitHub user\r\ncould create CS environments, it did not take long for attackers to find ways to abuse this service.\r\nIn January 2023, we shared a proof of concept showing how an attacker could abuse a feature allowing the\r\nexposure of ports on GitHub CS to deliver malware with open directories. It should be noted that open directories\r\naren’t new and threat actors have been documented using these for serving malicious content such as ransomware,\r\nexploit kits, malware samples, and the like.\r\nIn relation to this, we recently came across Rustlang-based info stealers targeting Windows. Much like the\r\ntechnical details shared in our previous Twitter thread, these info stealers disguised themselves as applications or\r\nplatforms. Our investigation showed how these info stealers operate by leveraging exposed ports on a CS instance\r\nto exfiltrate credentials from an infected machine. In this blog, we detail one of these info stealers masquerading\r\nas a popular computer game. This will serve as the first part of the series, to be followed by another entry\r\nanalyzing how this info stealer is able to persist on the victim machine after it infects an existing installation of\r\nDiscord.\r\nOverview of functions\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 1 of 11\n\nFigure 1. A brief overview of the first section of this info stealer\r\nAnalyzing the info stealer sample with a decompiler, we noticed a number of interesting function names,\r\nincluding anti-debugging features and stealing data from web browsers, Discord, Steam, and cryptocurrency\r\nwallets, among others.\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 2 of 11\n\nFigure 2. Suspicious functions (top) and when we decompiled the main function of the sample\r\n(bottom)\r\nFunctions for anti-debugging and anti-analysis\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 3 of 11\n\nInitially, the function called malware::anti_debug::detect::hfc268b042e05af6a() checks if the sample is running\r\nin a controlled environment. The function fetches the username and, later, the current host name to compare it\r\nwith a list of blocklisted usernames and host namesopen on a new tab that might have been used in sandboxes and\r\ndebugging environments. If any match is found, the stealer process is terminated. For comparison of a similar\r\nmethod, we found a repository of a Python-based anti-debugger with anti-debugging and anti-analysis procedures\r\nimplemented.\r\nFigure 3. Anti-debug checks implemented by the stealer\r\nStolen information breakdown\r\nIn this section, we enumerate the stolen data and processes we found from the infection routine of the info stealer\r\nmalware.\r\nStealing browser data\r\nOnce anti-debug checks are done and no sandbox or anti-debug environment is detected, the stealer collects the\r\ncredentials stored in the victim machine, such as passwords, cookies, and credit card information in the following\r\npopular web browsers:\r\n360Browser\r\nAmigo\r\nBrave\r\nChromodo\r\nChromunium (sic)\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 4 of 11\n\nCocCoc\r\nComodo\r\nEpic Privacy Browser\r\nGoogle Chrome\r\nK-Melon\r\nKometa\r\nMail.Ru\r\nMaxthon3\r\nNichrome\r\nOrbitum\r\nSlimjet\r\nSputnik\r\nTorch\r\nUran\r\nVivaldi\r\nYandex\r\nWe observed that “Chromunium” is a typo of “Chromium,” and it does not work. Neither did we find any public\r\nmentions of “Chromunium” being a browser. Notably, majority of modern browser codebases are based on\r\nChromium, a free and open-source project, including Microsoft Edge even if it is not found in the stealer’s list for\r\nchecking.\r\nWhile analyzing the function malware::browsers::steal_data::h8cac638d5caa2249(), however, we also noticed\r\nmentions of a function called get_chromunium_targets. In an attempt to look for a related stealer code on GitHub,\r\nwe came across a repository containing a source code in Rust language, which we examined to be an info stealer\r\nsending stolen information to the attacker’s webhook. Based on the similarities of the function code, sequence of\r\nbrowsers, and applications being targeted, the info stealer analyzed in this blog post was likely based on or\r\ninspired by the stealer we discovered in the GitHub repository.\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 5 of 11\n\nFigure 4. Calling a function named “get_chromunium_targets” in one of the methods from the info\r\nstealer\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 6 of 11\n\nFigure 5. Possible source code related to the info stealer based on function name and capabilities\nMeanwhile, the collected credentials for each targeted browser are saved under the following files:\n%localappdata%\\Microsoft\\Security\\Browsers\\\\Default\\Passwords.tx\n%localappdata%\\Microsoft\\Security\\Browsers\\\\Default\\Netscape Cookies.txt\n%localappdata%\\Microsoft\\Security\\Browsers\\\\Default\\Credit Cards.txt\nStealing cryptocurrency wallet data\nAfter collecting the browser credentials, the stealer proceeds to steal information from various cryptocurrency\nwallets. It then targets known wallets from the paths under the \u003c%localappdata%\u003e and \u003c%appdata%\u003e folders,\nas identified here:\n\\Armory\n\\atomic\\Local Storage\\leveldb\n\\bytecoin\n\\Coinomi\\Coinomi\\wallets\n\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\nPage 7 of 11\n\n\\Electrum\\wallets\r\n\\Ethereum\\keystore\r\n\\Exodus\\exodus.wallet\r\n\\Guarda\\Local Storage\\leveldb\r\n\\Zcash\r\nStealing Discord data\r\nThe stealer also targets the messaging application Discord and looks for Discord tokens. These tokens allow\r\nmalicious actors to impersonate the victims on the platform once acquired. Once the token is found, it is written to\r\nthe file Discord Tokens.txt located in \u003c%localappdata%\\Microsoft\\Security\u003e. The tokens are scanned from the\r\nfollowing paths:\r\n%appdata%\\discord\\\r\n%appdata%\\discord\\Local Storage\\leveldb\\\r\n%appdata%\\discordcanary\r\n%appdata%\\discordptb\r\n%appdata%\\discorddevelopement\r\n%localappdata%\\Discord\r\nStealing Steam data\r\nThe Steam configuration files from \u003c%programfiles(x86)%\\Steam\\config\\\u003e are copied to the folder\r\n\u003c%localappdata%\\Microsoft\\Security\\Steam\\\u003e for later exfiltration. Stolen credentials and configuration files are\r\nstored in the following paths and files:\r\n%localappdata%\\Microsoft\\Security\\Browsers\\\r\n%localappdata%\\Microsoft\\Security\\Wallets\\\r\n%localappdata%\\Microsoft\\Security\\Steam\\\r\n%localappdata%\\Microsoft\\Security\\Discord Tokens.txt\r\nExfiltration\r\nThe previously collected files are compressed into a file named diagnostics.zip and stored in the path\r\n\u003c%localappdata%\\Microsoft\\diagnostics.zip\u003e. The stealer uses gofile.io, a file-sharing platform that allows users\r\nto upload and share files anonymously. Initially, the stealer fetches the best available gofile.io server by querying\r\napi.gofile.io. Depending on the response, the best server to send files to or receive files from is used in the\r\nsubsequent request in the format storeX.gofile.io, where “X” is a number (such as “store2” in Figure 6).\r\nThe stealer then uploads the compressed file via a POST request to the endpoint /uploadFile. The body of the\r\nPOST request contains the collected credentials from the victim.\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 8 of 11\n\nFigure 6. Requesting the best server for upload\r\nFigure 7. Uploading stolen credentials to the gofile server\r\nIn the response, we get the gofile.io URL where the uploaded file is stored. This URL can be accessed by anyone\r\nwithout any authentication. We also get a token in the guestToken parameter, which can be used by the uploader to\r\ndelete the parentFolder and fileId parameters subsequently. After the gofile.io upload is complete, the query\r\nifconfig.me fetches the public IP address of the victim machine.\r\nFigure 8. HTTP GET request to get the public IP address of the infected machine\r\nThe last step is submitting the stolen information to the Github webhook controlled by the attacker. This is the\r\nsummary of stolen information exfiltrated by the stealer:\r\n1. List of browsers found\r\n2. Computer name\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 9 of 11\n\n3. Number of cookies extracted\r\n4. Total number of credit cards extracted\r\n5. Discord status (if Discord is installed or not)\r\n6. Number of passwords extracted\r\n7. Uploaded gofile.io URL of diagnostics.zip\r\n8. Steam status (if any Steam data was stolen or not)\r\n9. Username of the user running the info stealer\r\n10. List of cryptocurrency wallets extracted\r\n11. Windows operating system version\r\nThe stealer then embeds all the pieces of information about the victim into a JSON file and sends this via a POST\r\nrequest to a GitHub CS URL. We saw a POST request attempting to exfiltrate the stolen information to the Github\r\nCS endpoint that listens at port 8080. Had the CS been active, port 8080 would have been publicly exposed and,\r\nrequiring no authentication, the exfiltrated information would have been successfully sent to and received by the\r\nattacker.\r\nAccording to our sample and testing, the exfiltration of the data to the webhook had failed with the status error\r\n“302 Moved Temporarily.” If we try to access the gofile.io URL, we will see that the file diagnostics.zip has been\r\nuploaded to the server and can be downloaded by anyone with the URL link because no authorization is required.\r\nFigure 9. Failed exfiltration of stolen data to the Github Codespaces webhook\r\nFigure 10. Uploaded file to gofile.io\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 10 of 11\n\nIn the second part of this analysis, we detail our investigation of how this information-stealing malware achieves\r\npersistence in the infected machine by modifying the victim’s installation of Discord. We also enumerate our\r\nsecurity recommendations and insights on how users and security teams can defend their networks and endpoints\r\nagainst this growing threat.\r\nIndicators of Compromise (IOCs)\r\nDownload the full list of indicators hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html" ], "report_names": [ "rust-based-info-stealers-abuse-github-codespaces.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9447dab1f27ba145e95dea4e6ff0e1474cea703.pdf", "text": "https://archive.orkl.eu/b9447dab1f27ba145e95dea4e6ff0e1474cea703.txt", "img": "https://archive.orkl.eu/b9447dab1f27ba145e95dea4e6ff0e1474cea703.jpg" } }