Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.
“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.
The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.
Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”
“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”
The attacks are also characterized by the use of anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain a long-term foothold on the affected hosts. Also employed are PowerShell scripts to weaken host defenses and inhibit system recovery.
Water Curse has been described as a financially motivated threat actor that’s driven by credential theft, session hijacking, and resale of illicit access. As many as 76 GitHub accounts have been linked to the campaign. There is evidence to suggest related activity may have been ongoing all the way back to March 2023.
The emergence of Water Curse is the latest example of how threat actors are abusing the trust associated with legitimate platforms like GitHub as a delivery channel for malware and stage software supply chain attacks.
“Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers,” Trend Micro said. “This reflects a multi-vertical targeting strategy that blends cybercrime with opportunistic monetization.”
“Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”
The disclosure comes as multiple campaigns have been observed leveraging the prevalent ClickFix strategy to deploy various malware families such as AsyncRAT, DeerStealer (via a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (also via Hijack Loader).
AsyncRAT is one of the many readily available remote access trojans (RATs) that has been put to use by unidentified threat actors to indiscriminately target thousands of organizations spanning multiple sectors since early 2024. Some aspects of the campaign were documented by Forcepoint in August 2024 and January 2025.
“This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure,” Halcyon said. “These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.”
“Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.”
The findings also follow the discovery of an ongoing malicious campaign that has targeted various European organizations located in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to deliver a named Sorillus RAT (aka Ratty RAT).
Previous campaigns distributing the malware have singled out accounting and tax professionals using income tax return decoys, some of which have leveraged HTML smuggling techniques to conceal the malicious payloads.
The attack chain detailed by Orange Cyberdefense employs similar phishing emails that aim to trick recipients into opening PDF attachments containing a OneDrive link that points to a PDF file directly hosted on the cloud storage service while prompting the user to click an “Open the document” button.
Doing so redirects the victim to a malicious web server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to proceed further to the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed a benign PDF while a JAR file is stealthily downloaded to drop and execute Sorillus RAT.
A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that can harvest sensitive information, download/upload files, take screenshots, record audio, log keystrokes, run arbitrary commands, and even uninstall itself. It also doesn’t help that numerous racked versions of the trojan are available online.
The attacks are assessed to be part of a broader campaign that has been observed delivering SambaSpy to users in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware family.
“The operation showcases a strategic blend of legitimate services – such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity company said. “The repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian-speaking threat actors.”
