An attacker, disguised as a job seeker, distributing malware on GitHub
Contents
Threat Intelligence
EnkiWhiteHat
2025. 6. 4.
Executive Summary
We found and analyzed two repositories on GitHub that contained the same malicious code.
The attacker used various techniques to make the repositories appear legitimate, such as copying real repositories or hiding malicious code using long white spaces.
The final backdoor malware operated by multiple threads interacting with each other and used IOCP (Input/Output Completion Port) for communication with the C&C server.
By investigating the attacker's repositories, we identified the changes in their attack methods and found that the attacker posed as a full-stack and blockchain developer while searching for employment.
The attacker is not only inserting malicious code into repositories but also preparing to distribute malware disguised as a legitimate hiring process by creating a phishing site.
1. Overview
GitHub is a platform used by developers to share their work or portfolios and collaborate with others. However, there have been various cases in which attackers disguised themselves as researchers, developers, or …
EnkiWhiteHat
2025. 6. 4.
Executive Summary
We found and analyzed two repositories on GitHub that contained the same malicious code.
The attacker used various techniques to make the repositories appear legitimate, such as copying real repositories or hiding malicious code using long white spaces.
The final backdoor malware operated by multiple threads interacting with each other and used IOCP (Input/Output Completion Port) for communication with the C&C server.
By investigating the attacker's repositories, we identified the changes in their attack methods and found that the attacker posed as a full-stack and blockchain developer while searching for employment.
The attacker is not only inserting malicious code into repositories but also preparing to distribute malware disguised as a legitimate hiring process by creating a phishing site.
1. Overview
GitHub is a platform used by developers to share their work or portfolios and collaborate with others. However, there have been various cases in which attackers disguised themselves as researchers, developers, or …
IoC
https://github.com/RealToma/Ly_AutoPayBot
http://166.88.90.143:12321
http://166.88.90.143
https://github.com/L34rnT0C0d3
https://github.com/mthomas0802/Market-Maker-Bot
http://166.88.117.246
https://www.dropbox.com/scl/fi/edq1ecio6zr2ophnnv3l7/89373.png?rlkey=whwftc8qf452xku7c8ya3cd5o&st=bcmppt7i&dl=0
https://files.catbox.moe/zxmneq.png
http://166.88.90.143/ms/edgeLogo.webp
https://app.mercuryswap.io
https://files.catbox.moe/mur3el.png
http://166.88.117.246:12321
http://166.88.117.246/blogs/21549876546523165464
166.88.117.246
166.88.90.143
52046ad374041f0cabc47e897e10de86b64997ed6da8123d067dac7ead5343b7
7790c55c5dded39c0a6a0eabf05665ce96762047db20ae8e472715461080237d
8b6d6807213c21c84192cc697d96396eced341f342161045df990830d371b70c
13412b54e3e8f30d3179e54cc653dc651e8cbe43d625c96451942910c91e76b9
5527f0acb4755e4402434f84c0aac602260e0736f7fdb62cdc329955d47ffe3b
6ac3bd5e67f5ba1f8effbb53d25078e11ba3dd3d3d5046f5409d653c73db5d59
http://166.88.90.143:12321
http://166.88.90.143
https://github.com/L34rnT0C0d3
https://github.com/mthomas0802/Market-Maker-Bot
http://166.88.117.246
https://www.dropbox.com/scl/fi/edq1ecio6zr2ophnnv3l7/89373.png?rlkey=whwftc8qf452xku7c8ya3cd5o&st=bcmppt7i&dl=0
https://files.catbox.moe/zxmneq.png
http://166.88.90.143/ms/edgeLogo.webp
https://app.mercuryswap.io
https://files.catbox.moe/mur3el.png
http://166.88.117.246:12321
http://166.88.117.246/blogs/21549876546523165464
166.88.117.246
166.88.90.143
52046ad374041f0cabc47e897e10de86b64997ed6da8123d067dac7ead5343b7
7790c55c5dded39c0a6a0eabf05665ce96762047db20ae8e472715461080237d
8b6d6807213c21c84192cc697d96396eced341f342161045df990830d371b70c
13412b54e3e8f30d3179e54cc653dc651e8cbe43d625c96451942910c91e76b9
5527f0acb4755e4402434f84c0aac602260e0736f7fdb62cdc329955d47ffe3b
6ac3bd5e67f5ba1f8effbb53d25078e11ba3dd3d3d5046f5409d653c73db5d59