Full Report
Google Sites lure leads to bogus root certificate Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.…
Analysis Summary
# Tool/Technique: Linux Foundation Impersonation & Bogus Root Certificate
## Overview
This is a targeted social engineering campaign aimed at open-source developers within the CNCF and TODO projects. The attacker impersonates a high-ranking Linux Foundation official on Slack to lure victims to a Google Sites phishing page. The campaign aims to steal credentials and achieve full system compromise by tricking users into installing a malicious root certificate and executing an OS-specific binary.
## Technical Details
- **Type**: Social Engineering / Credential Phishing / Malware (Root Certificate & Downloader)
- **Platform**: Windows, macOS
- **Capabilities**: Credential theft, Traffic Interception (MitM), Remote File Execution, System Compromise.
- **First Seen**: April 2026 (Reported)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- [T1566.003 - Phishing: Spearphishing via Service] (Slack)
- **[TA0005 - Defense Evasion]**
- [T1553.004 - Subvert Trust Controls: Install Root Certificate]
- [T1102 - Web Service] (Google Sites)
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle]
- [T1556 - Modify Authentication Process]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
## Functionality
### Core Capabilities
- **Impersonation**: Uses the identity of trusted Linux Foundation community leaders to establish rapport on Slack.
- **Credential Phishing**: Mimics a legitimate Google Workspace sign-in flow via `sites[.]google[.]com` to capture login data.
- **Encrypted Traffic Interception**: Tricks users into installing a bogus root CA, allowing the attacker to decrypt and inspect HTTPS traffic (Adversary-in-the-Middle).
### Advanced Features
- **Cross-Platform Payload Delivery**:
- **macOS**: Downloads and executes a binary named `gapi` from a remote IP.
- **Windows**: Prompts for a malicious certificate installation via browser trust dialogs to facilitate further compromise.
- **Living-off-the-Cloud**: Leverages reputable domains (Google Sites) to bypass reputation-based web filters.
## Indicators of Compromise
- **File Names**:
- `gapi` (macOS binary)
- **Network Indicators**:
- `https://sites[.]google[.]com/view/workspace-business/join` (Phishing URL)
- `2[.]26[.]97[.]61` (C2/Download IP)
- **Behavioral Indicators**:
- Phishing messages originating from Linux Foundation Slack workspaces.
- Unexpected prompts to install a "Google" root certificate or download "verification" binaries.
## Associated Threat Actors
- **Unknown**: While specific attribution is not confirmed, the techniques align with high-end social engineering campaigns targeting the software supply chain (similar to recent DPRK-linked activity against maintainers).
## Detection Methods
- **Behavioral Detection**:
- Monitoring for the installation of unauthorized Root Certificates in system stores.
- Detecting the execution of unsigned or newly seen binaries (`gapi`) in developer environments.
- Alerts for Slack accounts reaching out to multiple developers with external links.
- **Network Detection**:
- Logging and inspecting connections to the identified IP `2[.]26[.]97[.]61`.
## Mitigation Strategies
- **Prevention**:
- Implement FIDO2/WebAuthn hardware security keys to prevent credential phishing.
- Educate developers: Legitimate Google Workspace authentication **never** requires manual root certificate installation.
- **Hardening**:
- Restrict the ability of standard users to install system-wide Root Certificates.
- Use Endpoint Detection and Response (EDR) to block the execution of unrecognized binaries.
- **Incident Response**:
- Revoke active sessions and tokens immediately if a certificate was installed.
- Rotate all credentials and SSH keys.
## Related Tools/Techniques
- **Supply Chain Attacks**: Similar to the North Korean campaign against the `axios` maintainer.
- **Siren Security Advisory**: This campaign is part of a trend of targeting developer workflows rather than code vulnerabilities.