Water Curse Hacker Group Uses 76 GitHub Accounts to Spread Multistage Malware

A newly identified threat actor known as Water Curse has been linked to a sprawling campaign utilizing at least 76 GitHub accounts to distribute weaponized repositories packed with multistage malware.

This financially motivated group leverages the inherent trust in open-source platforms to target a diverse range of victims, including cybersecurity professionals, red teamers, penetration testers, game developers, and DevOps personnel.

Their sophisticated attack methodology poses a significant supply chain risk, embedding malicious payloads within seemingly legitimate tools and scripts hosted on GitHub, a platform widely relied upon by technical communities globally.

Sophisticated Supply Chain Attack

The Water Curse campaign, first detected in May 2025 but with traces dating back to March 2023, employs a complex infection chain that begins with the download of trojanized open-source project files via GitHub’s repository archiving service.

Tools masquerading as penetration testing utilities, such as an SMTP email bomber and Sakura-RAT, conceal malicious code within Visual Studio project configurations.

Upon execution during compilation, these payloads trigger a series of obfuscated scripts in Visual Basic Script (VBS) and PowerShell, initiating a multistage attack.

The malware downloads encrypted archives, extracts Electron-based applications like SearchFilter.exe, and conducts extensive system reconnaissance while employing anti-debugging measures, privilege escalation via UAC bypass, and persistence mechanisms through scheduled tasks and registry modifications.

This intricate process ensures long-term access to infected systems, enabling data exfiltration of sensitive information such as browser credentials, session tokens from platforms like GitHub and ChatGPT, and system profiling data.

Multistage Infection Chain

Water Curse’s technical prowess is evident in their use of diverse programming languages and tools, including PowerShell, JavaScript, C#, and compiled binaries, showcasing high adaptability and cross-functional development capabilities.

According to Trend Micro Report, their tactics include disabling Windows Defender, deleting shadow copies to impair system recovery, and using legitimate services like Telegram and Gofile for command-and-control (C&C) communication and data exfiltration.

The group’s repositories extend beyond cybersecurity tools to include game cheats, crypto wallet utilities, and credential stealers, reflecting a hybrid strategy of supply chain compromise and opportunistic exploitation.

This broad targeting, combined with stealthy automation and scalable infrastructure, suggests a loosely organized or service-driven cybercrime model aimed at credential theft, session hijacking, and illicit access resale.

The implications of this campaign are profound, highlighting the growing trend of developer-oriented information stealers that blur the lines between legitimate red team tools and active malware.

Organizations are urged to audit open-source tools rigorously, validate build scripts, and scrutinize repository histories before integration.

Solutions like Trend Micro’s Vision One and Managed Detection and Response (MDR) services have been pivotal in detecting and analyzing these threats, offering critical telemetry and threat hunting capabilities.

As Water Curse exploits the trust in platforms like GitHub, enhanced security awareness and verification practices among developers and security teams are essential to mitigate risks from such advanced supply chain attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates