VulnHub

Real-time Cybersecurity News

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

Infosecurity Magazine
Actively Exploited
Malware

Overview

A new security report reveals that GitHub is being exploited by cybercriminals as a covert channel for a multi-stage malware campaign. The attackers are using LNK files to communicate with command and control (C2) servers hosted on GitHub, which allows them to embed decoders and utilize PowerShell for maintaining persistence on infected systems. This approach enables the malware to exfiltrate sensitive data effectively. Organizations and users who may be affected include those who frequently download files from GitHub or run scripts without proper security measures in place. The use of a legitimate platform like GitHub complicates detection and highlights the need for enhanced vigilance in cybersecurity practices.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: GitHub, Windows systems, PowerShell
  • Action Required: Users should avoid downloading untrusted LNK files and ensure that their antivirus software is up to date.
  • Timeline: Newly disclosed

Original Article Summary

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Impact

GitHub, Windows systems, PowerShell

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Users should avoid downloading untrusted LNK files and ensure that their antivirus software is up to date. Implementing strict security policies regarding script execution and monitoring network traffic for unusual activities may also help mitigate risks.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Malware.

Read Original Article

Related Coverage

Thousands of API credentials exposed on public websites

SCM feed for Latest

A recent study conducted by researchers from Stanford University, the University of California, Davis, and TU Delft revealed that thousands of API credentials have been exposed on public websites. Using a tool called TruffleHog, the researchers scanned various sites and discovered sensitive information that could be exploited by malicious actors. This exposure poses significant risks as attackers could gain unauthorized access to systems and data. The findings underscore the need for companies to implement better security practices, such as using environment variables and secure storage solutions for API keys. The research serves as a warning for developers and organizations to regularly audit their code and remove any sensitive information from public repositories.

Apr 2, 2026

CrystalRAT malware-as-a-service offers remote access and prankware features

SCM feed for Latest

CrystalRAT is a new type of malware that has emerged in 2023, functioning as a malware-as-a-service platform. It operates on a subscription model, allowing users to access its capabilities, which include remote access to infected systems and features designed for pranks. Researchers from Kaspersky have noted that CrystalRAT bears a strong resemblance to an earlier malware called WebRAT. This is concerning as it lowers the barrier for entry for cybercriminals, enabling even those with limited technical skills to launch attacks. The rise of such services poses a growing threat to individuals and organizations, as they can be exploited for a variety of malicious purposes including data theft and system manipulation.

Apr 2, 2026

Hasbro hit by cyberattack, investigates possible data breach

Security Affairs

Hasbro, the well-known toy manufacturer, reported a cyberattack on Wednesday that has disrupted some of its operations. The company is currently investigating the incident to determine the extent of the attack and whether any sensitive data has been compromised. This situation raises concerns not only for Hasbro and its employees but also for customers who may be affected if personal information is involved. The investigation is ongoing, and Hasbro is working to restore its normal operations as quickly as possible. This incident serves as a reminder of the vulnerabilities that organizations face in the digital landscape.

Apr 2, 2026

Phishing campaign delivers Casbaneiro and Horabot banking trojans

SCM feed for Latest

A Brazilian cybercrime group known as Augmented Marauder and Water Saci has launched a phishing campaign that spreads two banking trojans: Casbaneiro and Horabot. The attackers use a mix of WhatsApp, ClickFix techniques, and email phishing to deliver these malicious programs. The campaign primarily targets individuals and organizations, aiming to steal sensitive banking information. This is particularly concerning as it showcases the evolving tactics employed by cybercriminals to exploit users through familiar communication channels. Users should be cautious about unsolicited messages and verify the authenticity of links before clicking.

Apr 2, 2026

Ransomware attackers increasingly exploit legitimate IT tools, bypassing antivirus

SCM feed for Latest

Recent reports indicate that ransomware attackers are increasingly using legitimate IT tools, such as Process Hacker and IOBit Unlocker, to bypass traditional antivirus software. These tools have deep access to operating system functions, allowing attackers to execute malicious activities without raising alarms. This trend poses significant risks to organizations, as it makes it harder for security systems to detect and prevent these kinds of attacks. Companies must reassess their security measures to account for the misuse of legitimate software, which could compromise sensitive data and disrupt operations. As attackers continue to evolve their tactics, it’s crucial for users and companies to stay vigilant and update their defenses accordingly.

Apr 2, 2026

WhatsApp warns of spyware in fake iPhone app

SCM feed for Latest

WhatsApp has raised concerns about a fake iPhone app developed by the Italian spyware company SIO. This app is designed to impersonate the legitimate WhatsApp service, potentially tricking users into downloading malicious software. If users unknowingly install this app, their personal information and communications could be at risk. This situation highlights the ongoing threat of spyware and the importance of downloading applications only from trusted sources. Users are encouraged to verify app authenticity before installation to protect their data from potential exploitation.

Apr 2, 2026