Full Report
Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub. The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky. "The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables
Analysis Summary
# Tool/Technique: GitVenom Campaign
## Overview
GitVenom refers to an ongoing cyber threat campaign that leverages fake open-source projects hosted on platforms like GitHub to distribute malware targeting gamers and cryptocurrency investors. The primary goal of the campaign is the exfiltration of sensitive data, including banking and cryptocurrency wallet information, leading to significant financial loss (reported theft of $456K in Bitcoin).
## Technical Details
- Type: Campaign/Malware Distribution Framework
- Platform: Primarily targets systems running code written in Python, JavaScript, C, C++, and C# (implying Windows/Linux/macOS targets depending on the payload).
- Capabilities: Information stealing (passwords, credentials, browsing history), remote access via RATs, and cryptocurrency wallet hijacking (clipping).
- First Seen: Campaign believed to be active for at least two years, with recent reports in February 2025.
## MITRE ATT&CK Mapping
The campaign executes a multi-stage attack involving multiple distinct techniques:
| Tactic | Technique ID | Technique Name |
| :--- | :--- | :--- |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1218 | Signed Binary Proxy Execution |
| Credential Access | T1003 | OS Credential Dumping (Implied via info-stealer targeting credentials) |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel (Telegram used here) |
| Impact | T1566.001 | Phishing: Spearphishing Attachment (The downloaded project acts as the malicious "attachment") |
*Note: Specific T-IDs for the embedded malware (AsyncRAT, Quasar RAT, Clipper) would require analyzing those specific tools, but the primary infection vector relies on Execution and Collection techniques.*
## Functionality
### Core Capabilities
- **Infection Lure:** Using fake, attractive open-source projects (e.g., Valorant crack tool, Instagram automation, Telegram bot) hosted on GitHub to entice victims.
- **Payload Retrieval:** Launching an embedded payload that retrieves further malicious components from an attacker-controlled GitHub repository.
- **Information Stealing:** Deploying a Node.js information stealer module to collect passwords, bank account details, saved credentials, cryptocurrency wallet data, and web browsing history.
- **Packaging and Exfiltration:** Compressing stolen data into a `.7z` archive and exfiltrating it primarily via Telegram.
### Advanced Features
- **Remote Control:** Downloading and deploying Remote Administration Tools (RATs) such as AsyncRAT and Quasar RAT to gain persistent, remote control over compromised hosts.
- **Cryptocurrency Theft (Clipping):** Deployment of clipper malware designed to substitute wallet addresses copied to the victim's clipboard with the adversary's owned wallet addresses, redirecting digital asset transfers.
## Indicators of Compromise
*Note: The provided text does not list explicit IoCs like hashes or C2 domains, only the methods used.*
- File Hashes: [Not provided in text]
- File Names: Stolen data archived as `.7z`.
- Registry Keys: [Not provided in text]
- Network Indicators: Exfiltration observed using **Telegram** as the exfiltration channel (defanged: `telegram[.]org` or similar services).
- Behavioral Indicators: Execution of payloads retrieved from GitHub repositories; clipboard monitoring/manipulation indicative of clipper activity; unusual outbound communication to potential command channels.
## Associated Threat Actors
- Attackers behind the **GitVenom Campaign** (as named by Kaspersky researchers).
## Detection Methods
- Signature-based detection: [Likely possible once malware hashes/signatures of the embedded loaders or embedded RATs become available.]
- Behavioral detection: Monitoring for processes attempting to establish connections to Telegram endpoints for large data transfers or processes manipulating or reading clipboard contents immediately before sending network traffic. Detection of processes attempting to download and execute arbitrary code from external GitHub repositories after a user executes seemingly benign software.
- YARA rules: [Not provided in text]
## Mitigation Strategies
- Prevention measures: Strictly vetting third-party code, especially from open-source repositories, before execution or integration into development projects.
- Hardening recommendations: Implementing robust Endpoint Detection and Response (EDR) capable of monitoring file system changes, clipboard operations, and recognizing C2 beaconing. Restricting network access for non-essential or suspicious processes. Educating developers and gamers about the risks associated with downloading "cracks" or unofficial tools from code-sharing platforms.
## Related Tools/Techniques
- **AsyncRAT:** Remote Administration Tool.
- **Quasar RAT:** Remote Administration Tool.
- **Clipper Malware:** Specifically targets cryptocurrency transactions via clipboard hijacking.
- **Information Stealer (Node.js based):** Used for credential and data harvesting.