Banana Squad, a threat actor group, has been running a sophisticated malware campaign by hiding data-stealing malware in fake GitHub repositories. These repositories were designed to look like legitimate Python-based hacking tools, tricking developers and users into downloading and running malicious code.
Key Tactics and Techniques
- Fake Repositories: Over 60 GitHub repositories were created, each mimicking the names and appearance of real open-source projects. These fake repos typically hosted only one project per account, a red flag for malicious intent.
- Stealthy Code Hiding: The malicious Python files used a GitHub UI trick—embedding the backdoor code on long, non-wrapping lines with excessive spaces. This pushed the harmful payload far off the visible screen, making it nearly invisible during casual code reviews.
- Obfuscation: The malware was further concealed using multiple layers of encoding and encryption, including Base64, Hex, and Fernet encryption, to hide the true intent and make detection harder.
- Dynamic Content: “About” sections in the fake repos often included theme-related keywords, emojis, and unique strings to appear authentic and bypass simple automated checks.
Malware Capabilities and Targets
- Data Theft: The malware was designed to steal a wide range of sensitive data from infected systems, including:
- Browser data (such as saved passwords and session cookies)
- Application data
- System information
- Cryptocurrency wallet credentials, enabling theft and redirection of funds
- Windows Focus: The payloads primarily targeted Windows systems, consistent with earlier Banana Squad campaigns that had already resulted in nearly 75,000 downloads before takedown.
Infrastructure and Attribution
The campaign used domains such as bananasquad.ru, dieserbenni.ru, and 1312services.ru to host payloads and receive stolen data. These domains have been consistently linked to Banana Squad’s operations since their discovery in 2023. The group was first identified by Checkmarx in October 2023 and has since shifted from mass-uploading malicious packages to more targeted, covert attacks on platforms like GitHub.
Impact and Response
All 67 identified malicious repositories have been reported and removed by GitHub, but the total number of victims is unknown, given the repositories’ visibility and the hundreds of trojanized files they contained.
Indicators of Compromise
| Domain | bananasquad[.]ru | Initial malicious domain |
| Domain | dieserbenni[.]ru | Main domain for current campaign payloads |
| Domain | 1312services[.]ru | Newly detected domain as of June 2025 |
| URL | hxxps://dieserbenni[.]ru/paste?repo=… | Payload delivery URL pattern |
| File | SHA256: eb6c431ecf7e04d8… | Example malicious file hash |
