Malware

Gitgub Campaign Attacking GitHub Users To Steal Login Credentials

⁤Threat actors often target GitHub users due to the plenty of valuable code repositories and sensitive information stored on the platform. ⁤ However, the collaborative nature of ⁤GitHub makes it an exceptional target for surveillance by threat actors seeking to gather intelligence on organizations a...

S ShomoySoft Editorial

· Aug 27, 2025 · 4 min read · 👁 2 views

Gitgub Campaign Attacking GitHub Users To Steal Login Credentials

⁤Threat actors often target GitHub users due to the plenty of valuable code repositories and sensitive information stored on the platform. ⁤

However, the collaborative nature of ⁤GitHub makes it an exceptional target for surveillance by threat actors seeking to gather intelligence on organizations and their development practices.

Cybersecurity analysts at G Data Defense recently discovered that threat actors are actively attacking GitHub users to steal login credentials via the Gitgub campaign.

Gitgub Campaign Attacking GitHub Users

RisePro employs encrypted strings and bloated installers crashing reverse-engineering tools. “Gitgub” exfiltrated over 700 data archives to Telegram.

Document

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

13 repos from this RisePro stealer campaign featured the README lures. While the fake green Unicode circles mimicked build statuses for recency illusion.

Red and green circles usually indicate real build outcomes on GitHub.

Malicious Repos (Source – G Data Defense)

The following download link remains the same across repos:-

hxxps://site/INSTALLER%20PASSWORD.rar

The user unpacks nested archives with “GIT1HUB1FREE” password. While the Installer_Mega_v0.7.4t.msi is the first executable.

Orca shows it unpacks the next stage using the “LBjWCsXKUz1Gwhg” password, and the final payload is “Installer-Ultimate_v4.3e.9b.exe.

Installer_Mega_v0.7.4t.msi in Orca.exe (Source – G Data Defense)

The Installer-Ultimate_v4.3e.9b.exe is 699MB and it crashes the analysts’ tools. PortexAnalyzer shows non-trivial bloat with high entropy and no overlay.

The original archive had a 70MB size which suggests a repeating pattern.

PortexAnalyzer visualization (Source – G Data Defense)

Visualization revealed 0x1C0 byte repeating blocks with 0x2d byte unique blocks between. Repeating blocks enable compression while maintaining high entropy when unpacked.

MICROSOFTVISUALSTUDIODEBUGGERI resource was bloat data of 0x2b85418f bytes, and removing it slimmed the file from 699MB to 3.43MB.

The innoSetup signature was fake, and it is a .NET assembly. Two #Blob, #Strings streams break CLI spec, allowing only one each, while the #Schema stream isn’t part of CLI, reads the report.

There are three streams that had 1-byte invalid sizes pointing to the same offset, likely confusing parsers.

ModuleRef table references 727 DLL files with dictionary word pairs as names, except kernel32. The file uses obfuscated .NET Reactor 6 with virtualization, requiring a custom disassembler.

Moduleref (Source – G Data Defense)

Loader connects to 176.113.115.227:56385 and injects RisePro 1.6 stealer into AppLaunch.exe or RegAsm.exe. RisePro now uses custom XOR string decryption instead of xorstr library.

Multiple hardcoded decryption functions per string length replace vectorized xorstr scheme.

Researchers used a Python script to decrypt RisePro’s network data over a still-used TCP 50500 port. Config packet revealed grabber components, Telegram bot API token, and message template.

Telegram channel with exfiltrated data archives (Source – G Data Defense)

The Base64 packet contained zipped analysis machine data. Over 700 zipped data archives were exfiltrated to 2 Telegram channels. The channel names and C2 IPs suggest Russia-based operations.