Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

Aug. 13, 2025, 3:48 p.m.

Description

A massive distribution of SmartLoader malware has been discovered through GitHub repositories masquerading as legitimate projects. These repositories focus on topics like game cheats, software cracks, and automation tools to attract users. The malware is distributed via compressed files containing a legitimate Lua loader executable, a malicious batch file, and an obfuscated Lua script. Once executed, SmartLoader establishes persistence, sends system information to a C2 server, and downloads additional payloads. The malware has been observed downloading InfoStealer malware such as Rhadamanthys, Redline, and Lumma Stealer. Users are advised to download software only from official sources and to carefully verify the credibility of GitHub repositories before use.

External References

https://asec.ahnlab.com/en/89551/
https://otx.alienvault.com/pulse/689cb295a9650f353d8f08cd
Tags
obfuscation
rhadamanthys
infostealer
persistence
lumma stealer
redline
c2
github
smartloader
2025-08-13
game-cheats
software-cracks
luascript

Date

  • Created: Aug. 13, 2025, 3:43 p.m.
  • Published: Aug. 13, 2025, 3:43 p.m.
  • Modified: Aug. 13, 2025, 3:48 p.m.

Indicators

  • c5a7070fd30913e1a8d214df38180cf11d64088a8f5c1eab8fde1e4e2b69626c
  • ac3ea4c298a810a99f4f1124994c8fb58d3c439877cc587b1638631cfbbe9c24
  • 277a0aa3fb3762438f5bd1f9f35a58979430622bc6234e95a4383667a8402952
  • 95.164.53.26
  • 89.169.12.179
  • 77.105.164.178
  • 150.241.108.62
  • 89.169.13.215
  • http://95.164.53.26/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
  • http://89.169.13.215/tasks/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
  • http://89.169.13.215/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
Download all indicators here!

Attack Patterns

  • SmartLoader
  • Lumma Stealer
  • Redline
  • Rhadamanthys