March 25, 2026

GitHub-based Malware Campaign Utilizes Split Payload Technique for Evasion

Vaibhav March 24, 2026
GitHub-based-Malware-Campaign-Utilizes-Split-Payload-Technique-for-Evasion
Post Views: 8

Malware Campaign Uses Split Payload to Evade Detection

A large-scale cyberattack campaign has been targeting developers, gamers, and general users through fake tools hosted on GitHub.

  • Researchers: Netskope
  • Date: Ongoing campaign
  • Scope: Developers, gamers, general users

Sophisticated Malware Delivery Method

The campaign involves creating highly polished and convincing lures, often mimicking real projects, to trick users into downloading and executing the malware.

“The attackers’ ultimate goal is to deliver an infostealer to the compromised users.” – Netskope Researchers

Dual-Component Trojan

The payload is a custom LuaJIT-based Trojan designed to evade detection, using a two-part structure: a legitimate runtime for executing Lua scripts and an obfuscated, encrypted script that appears harmless when analyzed separately.

  • Functionality: Performs five anti-analysis checks and delays execution to bypass sandboxes
  • Capabilities: Captures a full screenshot of the victim’s desktop and sends it to the attackers before waiting for instructions from the command and control server

Campaign Details

The attackers have distributed over 300 malicious packages disguised as AI developer tools, game cheats, crypto bots, Roblox scripts, and VPN crackers.

“This campaign represents a purpose-built gap in the automated analysis pipeline, where the payload sleeps for 29,000 years if a sandbox starts timing, and the lure factory rotates audiences while the infrastructure remains constant.” – Netskope Researchers

Ongoing Threat

The malware in question has been spotted in multiple fake tools, including a phone number location tracking tool and a tool for unlocking an advanced experience in the online game Fishing Planet. These tools continue to be operational on GitHub, indicating that the campaign is ongoing.

Netskope researchers emphasize the need for vigilance and caution when interacting with unfamiliar tools and repositories on GitHub.



About Author

Vaibhav

See author's posts

More Stories

An AI-driven Android malware clicking on disguised web advertisements, symbolized by a glowing skull and digital connections.

AI is Used by New Android Malware to Click on Disguised Web Advertisements

daksh kataria January 22, 2026 0
Advanced Linux VoidLink malware attack targeting cloud and container environments with compromised servers, warning alerts, and security lock icons.

Advanced Linux VoidLink Malware Attacks Cloud and Container Environments

daksh kataria January 14, 2026 0
GlassWorm malware campaign illustration showing an iMac compromised by trojanized crypto wallets, Visual Studio Code logo, Bitcoin coin, hardware wallet, and malware alert shield.

GlassWorm Malware Campaign Targets iMacs with Trojanized Crypto Wallets

daksh kataria January 2, 2026 0

Latest Cyber Security News

Russian-Ransomware-Mastermind-Sentenced-to-Over-6-Years-in-Prison

Russian Ransomware Mastermind Sentenced to Over 6 Years in Prison

Vaibhav March 24, 2026
Russian-Ransomware-Mastermind-Receives-Over-6-Year-Prison-Sentence

Russian Ransomware Mastermind Receives Over 6 Year Prison Sentence

Vaibhav March 24, 2026
Critical-Citrix-NetScaler-Flaw-CVE-2026-3055-Exploitation-Imminent

Critical Citrix NetScaler Flaw CVE-2026-3055 Exploitation Imminent

Vaibhav March 24, 2026
High-Risk-Vulnerability-Hits-Citrix-NetScaler-ADC-and-Gateway-Impacting-Security

High-Risk Vulnerability Hits Citrix NetScaler ADC and Gateway, Impacting Security

Vaibhav March 24, 2026
A-Critical-Analysis-Why-the-Focus-on-AI-Safety-is-Misdirected-at-the-Wrong-Layer

A Critical Analysis: Why the Focus on AI Safety is Misdirected at the Wrong Layer

Vaibhav March 24, 2026
en_USEnglish
en_USEnglish