Banana Squad - SparTech Software

Banana Squad is a cybercriminal group known for distributing malware by disguising malicious code within fake GitHub repositories that appear to be legitimate hacking tools, primarily written in Python. The group was first identified by Checkmarx researchers in October 2023 and has been active since at least April 2023.

Their attack method involves creating numerous fake project folders (repositories) on GitHub, each often under a unique username, with the sole purpose of distributing malware. These repositories are designed to mimic real hacking tools but are actually “trojanized”—meaning they contain hidden malicious code intended to steal sensitive data. This data includes information from computers, applications, web browsers, and even cryptocurrency wallets by redirecting funds.

Banana Squad’s campaigns have resulted in the distribution of hundreds of malicious software packages, which were downloaded nearly 75,000 times before being discovered and removed. The group uses various tactics to evade detection, such as leveraging GitHub features like long lines of code that do not wrap, making malicious scripts harder to spot.

Their primary targets include developers, red teams, and novice cybercriminals—groups likely to seek out open-source hacking tools. The group’s activity reflects a broader trend of supply chain compromise, where attackers exploit trusted platforms and tools to distribute malware.

Banana Squad’s name is derived from an early malicious internet address, bananasquadru. Their campaigns are notable for their stealth and the scale of their operations, with over 60 fake repositories identified in recent investigations

Russia-based Banana Squad is hiding data-stealing malware in fake GitHub Python-based hacking tools.
Banana Squad, a threat actor group, has been running a sophisticated malware campaign by hiding data-stealing malware in fake GitHub repositories. These repositories were designed to look like legitimate Python-based hacking tools, tricking developers and users into downloading and running malicious code.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related