GitHub User Attachments Abused to Spread Novel Infostealer

GitHub’s content‑delivery network, long prized for its reliability, is now a vector for sophisticated malware distribution. By embedding malicious ZIP files in user‑attachment URLs, threat actors exploit the platform’s inherent trust, allowing the payload to reach victims without triggering typical download warnings. This technique sidesteps many perimeter defenses that focus on known malicious domains, highlighting a growing trend where attackers weaponize legitimate developer ecosystems to conduct covert supply‑chain attacks.

The Direct‑Sys loader showcases a layered evasion strategy. It begins with DLL sideloading via the Microsoft‑signed Launcher_x64.exe, then conducts three anti‑analysis checks—searching for a sentinel file, scanning for 67 sandbox‑related processes, and detecting hypervisor display strings. Successful bypass leads to ChaCha20‑encrypted shellcode executed through direct syscalls, avoiding API hooks. A secondary loader injects code into Dllhost.exe using an APC‑based technique, further obfuscating its activity. The final CGrabber stealer aggregates data from browsers, crypto wallets, VPNs, and gaming launchers, encrypts it with a dynamic ChaCha20 key, and exfiltrates it in ZIP chunks via POST requests.

For security teams, the campaign underscores the need for deeper telemetry beyond file reputation. Monitoring for atypical DLL sideloading, unexpected syscall patterns, and outbound POST traffic to unknown C2 endpoints can surface these covert operations. Additionally, enforcing strict controls on GitHub attachment downloads and employing behavior‑based detection for in‑memory code injection will mitigate the risk. As attackers continue to co‑opt trusted development platforms, organizations must adapt their defenses to scrutinize not just external URLs but also the integrity of internal software supply chains.