{
	"id": "4d22cd3b-1e3e-4380-a69f-fbf24f6c6750",
	"created_at": "2026-04-10T03:21:53.868914Z",
	"updated_at": "2026-04-10T13:11:26.242109Z",
	"deleted_at": null,
	"sha1_hash": "be4228259ed811d26545e5bded61f2438d0800cb",
	"title": "Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5927628,
	"plain_text": "Distribution of SmartLoader Malware via Github Repository\r\nDisguised as a Legitimate Project\r\nBy ATCP\r\nPublished: 2025-08-07 · Archived: 2026-04-10 02:08:12 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has recently discovered the massive distribution of SmartLoader malware\r\nthrough GitHub repositories. These repositories are carefully crafted to appear as legitimate projects and are attracting\r\nuser interest by focusing on topics such as game cheats, software cracks, and automation tools. Each repository contains\r\na README file and a compressed file, which in turn contains the SmartLoader malware.\r\nSmartLoader Distribution URLs\r\nhxxps://github[.]com/[Threat Actor Account]/Maple-Story-Menu/releases/download/v3.2.0/Maple.Story.Menu.v3.2.0.zip\r\nhxxps://github[.]com/[Threat Actor Account]/Minecraft-Vape-Client/releases/download/v1.3.1/Minecraft.Vape.Client.v1.3.1.zip\r\nhxxps://github[.]com/[Threat Actor Account]/ms-rewards-automation/releases/download/v1.8.1/ms-rewards-automation.v1.8.1.zip\r\nhxxp://github[.]com/[Threat Actor Account]/ddos-protection/releases/download/uncork/ddos-protection-uncork.zip\r\nhxxp://github[.]com/[Threat Actor\r\nAccount]/strongvpn/releases/download/pseudobrotherly/strongvpn_pseudobrotherly.zip\r\nhxxp://github[.]com/[Threat Actor Account]/VSDC-Video-Editor-Pro-Crack/releases/download/2.3.3/vsdc-video-editor-pro-crack-2.3.3.zip\r\nhxxp://github[.]com/[Threat Actor Account]/Instagram-Followers-Booster-v2.4.5/releases/download/v1.3.6/instagram-followers-booster-v2.4.5-v1.3.6.zip\r\nhxxps://github[.]com/[Threat Actor Account]/Call-of-Duty-Modern-Warfare-3-MW3-Hack-Cheat-Aimbot-Esp-Unban-Hwid-Unlocks-GunLVL/releases/download/desertless/Desertless.zip\r\nhxxps://github[.]com/[Threat Actor Account]/MCP-Manager-GUI/releases/download/v1.6.1/MCP.Manager.GUI.v1.6.1.zip\r\nhxxp://github[.]com/[Threat Actor Account]/Project-Zomboid-Hack/releases/download/scholae/project-zomboid-hack-scholae.zip\r\nhxxps://github[.]com/[Threat Actor Account]/portfolio/raw/refs/heads/main/Software.zip\r\n  \r\nUpon searching for keywords such as game hacks, software crack, and automation tool, the GitHub repository\r\ncontaining the SmartLoader malware is displayed at the top of the search results, allowing users to easily access it.\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 1 of 7\n\nFigure 1. The SmartLoader distribution site being displayed at the top of Google search results\r\nThe GitHub repository disguised as a legitimate project contains a README file and other project-related files. The\r\nREADME file is well-written and includes an overview of the project, a table of contents, key features, and installation\r\nand usage instructions, making it difficult for regular users to recognize the repository as a malware distribution site.\r\nUsers follow the provided installation instructions and download the compressed file, which contains the malware.\r\nFigure 2. A GitHub repository disguised as a legitimate project (1)\r\nFigure 3. GitHub repository disguised as a legitimate project (2)\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 2 of 7\n\nFigure 4. Files inside the compressed file\r\nThe downloaded compressed file contains a total of 4 files, each with the following functions.\r\nFile Features\r\njava.exe: The legitimate Lua loader executable luajit.exe\r\nLauncher.cmd: A malicious batch file that executes java.exe with module.class as an argument (malicious)\r\nlua51.dll: Luajit runtime interpreter (legitimate)\r\nmodule.class: Obfuscated Lua script (malicious)\r\nWhen a user executes the Launcher.cmd file to install it, the obfuscated malicious Lua script is loaded through luajit.exe\r\n(Lua loader), and SmartLoader is ultimately activated. To maintain persistence, SmartLoader copies the luajit.exe\r\n(ODE3.exe), module.class, and lua51.dll files to the “%AppData%\\ODE3” path and registers it in the Task Scheduler as\r\n“SecurityHealthService_ODE3”.\r\nFigure 5. Sending a screenshot (BMP file)\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 3 of 7\n\nFigure 6. Transmission of system information (encoded form)\r\nAfterward, a screenshot of the infected PC and its system information are transmitted to the C2 server. Additional\r\nmalicious behaviors are then performed based on the response value received from the server. The data exchanged with\r\nthe C2 server is transmitted in an encrypted form through Base64 encoding and byte operations. The key value used in\r\nthis process exists in an obfuscated form within the Lua script, and the key could be obtained in the dynamic memory.\r\nC2\r\nhxxp://89.169.13[.]215/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\n \r\nFigure 7. C2 response value\r\nThe response value is delivered in JSON format and contains two data: loader and tasks. Loader is a configuration value\r\nthat controls the behavior of the malware, while tasks is a list of tasks to download and execute additional payloads. The\r\nfollowing is the result of decoding this data using the obtained key.\r\nItem Decoded data\r\nloader\r\n{“bypass_defender”: 0, “autorun”: 0, “relaunch”: {“time”: 3600, “status”: false}, “tablet”: {“text”: “An\r\nerror occurred”, “status”: false}, “hide”: 0, “persistence”: 1}\r\ntasks\r\n[{“id”: 814, “link”: “hxxps://github[.]com/kishoq123/Netrunner-Os-Abiy/releases/download/nasosubnasal/log.txt”, “file_path”: “AppData”, “file_name”:\r\n“Adobe\\\\adobe.lua“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0, “pump”: {“size”: 100, “status”:\r\nfalse}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”: “new”}, {“id”: 819, “link”:\r\n“hxxps://github[.]com/ngochoan1991/host/raw/ed0b087203fbe99717f2be9e93abc0cf9a4200c9/64.log”,\r\n“file_path”: “Temp”, “file_name”: “_x64.bin“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0,\r\n“pump”: {“size”: -1, “status”: false}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”:\r\n“new”}, {“id”: 820, “link”:\r\n“hxxps://github[.]com/ngochoan1991/host/raw/ed0b087203fbe99717f2be9e93abc0cf9a4200c9/86.log”,\r\n“file_path”: “Temp”, “file_name”: “_x86.bin“, “start”: 1, “autorun”: 0, “relaunch”: 0, “hide”: 0,\r\n“pump”: {“size”: -1, “status”: false}, “dll_loader”: {“func”: null, “type”: “LoadLibrary”}, “delivery”:\r\n“new”}]\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 4 of 7\n\nTable 1. Decoded loader and tasks data\r\nAt the time of analysis, the tasks item had a total of three payloads, and after each payload is executed, the task ID and\r\nthe country code of the infected PC are sent to the C2 server. The downloaded files are encoded in the same manner as\r\ndescribed above and are decoded and executed in the memory. The functions of each file are as follows:\r\nC2\r\nhxxp://89.169.13[.]215/tasks/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\n1. adobe.lua\r\nFigure 8. Decoded adobe.lua\r\nThis file is a obfuscated malicious Lua script that performs the same function as module.class. To maintain persistence, it\r\nis registered in the task scheduler under the name “WindowsErrorRecovery_ODE4”. It sends a screenshot of the infected\r\nPC and system information to the C2 server, then performs additional malicious behaviors based on the response\r\nreceived from the server. At the time of analysis, the tasks item was empty, so the additional malicious behavior could\r\nnot be identified.\r\nC2\r\nhxxp://95.164.53[.]26/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nFigure 9. C2 response value\r\n2. _x64.bin\r\nFigure 10. Decoded _x64.bin\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 5 of 7\n\nThe file is a ShellCode that operates in a 64-bit environment and has been identified as the Infostealer malware,\r\nRhadamanthys. Rhadamanthys performs injection into normal processes in Windows systems, and ultimately exfiltrates\r\nsensitive information related to email, FTP, and online banking services to the threat actor’s server.\r\nInjection Target Processes\r\n%Systemroot%\\system32\\openwith.exe\r\n%Systemroot%\\system32\\dialer.exe\r\n%Systemroot%\\system32\\dllhost.exe\r\n%Systemroot%\\system32\\rundll32.exe\r\n \r\n3. _x86.bin\r\nFigure 11. Decoded _x86.bin\r\nThis file is a ShellCode that operates in a 32-bit environment, performing the same functions as the _x64.bin file. It is\r\nthe Rhadamanthys malware.\r\nSmartLoader is mainly used to download InfoStealer malware, and there have been many cases of it being used to\r\nexecute other malware such as Rhadamanthys, Redline, and Lumma Stealer. As paths searched using illegal or unofficial\r\nkeywords such as game hacks, cracks, and automation tools are highly likely to lead to malware, software must be\r\ndownloaded from official sources. Even if a README file is meticulously written, the repository may still be malicious,\r\nso the source of the repository, the credibility of the author, and the commit and activity history must be checked.\r\nMD5\r\n2ed91e48a8a0b731ca3a3f6a7708256d\r\n4d744f3e77a4cb86a676da9c0a28b186\r\n952065a30e60fb71a5a27e0b78233cf1\r\nbd48378e8370372f1c59e404bcb5c840\r\ne5c783b9c1a70bd10efb66a79ff55ea1\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 6 of 7\n\nURL\r\nhttp[:]//150[.]241[.]108[.]62/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nhttp[:]//77[.]105[.]164[.]178/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nhttp[:]//89[.]169[.]12[.]179/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nhttp[:]//89[.]169[.]13[.]215/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nhttp[:]//89[.]169[.]13[.]215/tasks/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the\r\nbanner below.\r\nSource: https://asec.ahnlab.com/en/89551/\r\nhttps://asec.ahnlab.com/en/89551/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/89551/"
	],
	"report_names": [
		"89551"
	],
	"threat_actors": [],
	"ts_created_at": 1775791313,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be4228259ed811d26545e5bded61f2438d0800cb.pdf",
		"text": "https://archive.orkl.eu/be4228259ed811d26545e5bded61f2438d0800cb.txt",
		"img": "https://archive.orkl.eu/be4228259ed811d26545e5bded61f2438d0800cb.jpg"
	}
}