A new phishing strategy uses comments on GitHub to spread malware.

A newly detected phishing campaign has revealed that cybercriminals are using an unusual approach by leveraging trusted GitHub repositories for malware delivery. This attack targets organizations that rely on GitHub as a developer platform, allowing attackers to bypass security protections.

Instead of creating malicious repositories, the attackers embedded malware in legitimate repositories linked to tax organizations such as UsTaxes, HMRC, and Inland Revenue. This tactic allows them to evade Secure Email Gateways (SEG) protections, complicating the cyber defense for victims. Additionally, the campaign capitalizes on the urgency observed during the U.S. tax filing season, just after the April deadline.

Emails associated with this campaign included links to compressed files hosted on GitHub. Unlike traditional phishing attacks that use suspicious links or attachments, these emails appeared legitimate because the GitHub repositories used were genuine and recognized. Passwords were also added to the compressed files to enhance the appearance of legitimacy, complicating malware detection by automated scanners.

Once the password-protected files were opened, the Remcos remote access trojan was installed on the victim's system, allowing attackers to gain full control of the infected device. A key element of this campaign was the use of comments on GitHub to upload malicious files. While comments are typically used by developers to discuss repository content, attackers exploited this space to hide compromised files, thereby circumventing standard security protocols.

Even if the original comment containing the malicious link was deleted, the harmful file remained accessible in the repository's directory. Although this method had been previously employed, such as with the Redline Stealer malware, the current campaign marks a significant advancement in the use of GitHub comments as a malware distribution vector.

The focus of this campaign was primarily on the financial and insurance industries, particularly vulnerable during tax season due to the vast amount of sensitive financial data they handle. The attackers seem to have conducted tests with a smaller campaign aimed at these sectors. Compared to previous phishing campaigns that employed techniques like QR codes, this attack demonstrates a more targeted approach, suggesting that cybercriminals were experimenting with the GitHub-based method before scaling it up.

Phishing campaigns remain one of the most persistent and effective tactics used by cybercriminals to access sensitive information. These attacks often involve deceptive emails or messages that trick users into clicking on malicious links, downloading harmful files, or revealing personal information.

Over time, phishing techniques have evolved, becoming more sophisticated and difficult to detect. Cybercriminals now exploit trusted platforms, disguise their malicious intentions behind seemingly legitimate messages, and employ advanced social engineering techniques.