A newly identified threat actor, known as Water Curse, has launched a sophisticated supply chain attack targeting information security professionals, developers, red teamers, game developers, and DevOps teams. The campaign leverages weaponized GitHub repositories—at least 76 compromised accounts—to distribute advanced, multistage malware through seemingly legitimate open-source projects.
Delivery Vector
Water Curse exploits the inherent trust in open-source platforms like GitHub by publishing repositories that pose as legitimate security tools, game cheats, or developer utilities. Malicious payloads are embedded within build scripts and project configuration files, especially in Visual Studio projects.
Infection Chain
1. Initial Access: Victims download ZIP archives from GitHub’s standard codeload.github.com endpoint, believing them to be authentic tools.
2. Trigger: During compilation, hidden code in the <PreBuildEvent> tag executes a batch file, which launches a Visual Basic Script (VBS).
3. Second Stage: The VBS script runs an obfuscated PowerShell loader, which downloads and decrypts further payloads, typically password-protected archives.
4. Payload Deployment: Extracted files (such as SearchFilter.exe) are Electron-based binaries engineered for persistence, privilege escalation, and stealth. These binaries perform system reconnaissance, anti-debugging, and UAC bypass routines.
5. Post-Infection: The malware disables security features (e.g., Windows Defender), collects credentials, browser data, and session tokens, and exfiltrates data via channels like Telegram and public file hosts.
Technical Sophistication
Water Curse uses a diverse toolkit: PowerShell, JavaScript, C#, VBS, and compiled binaries. It employs advanced anti-debugging, privilege escalation, and persistence mechanisms (e.g., scheduled tasks disguised as system processes like “BitLocker Encrypt All Drives”). The infection chain is highly obfuscated, making detection and analysis difficult for traditional security tools. The campaign is financially motivated, aiming for credential theft, session hijacking, and the resale of illicit access.
