A sophisticated cybercriminal collective, tracked as the Water Curse hacker group, has weaponized at least 76 GitHub accounts to orchestrate an extensive supply chain attack distributing advanced multistage malware.
The campaign exploits inherent trust in open-source repositories, embedding malicious payloads within build scripts and project configurations of popular utilities and red team tools, putting the global developer community at risk.
Technical Analysis of the Campaign
The Water Curse operation, first identified by Trend Micro’s Managed Detection and Response (MDR) team, centers around the use of poisoned Visual Studio project files and ZIP archives disseminated through GitHub repositories.
At the core of the attack, malware is concealed within pre-build event scripts and auxiliary project artifacts.
When a developer compiles the compromised project, the embedded code executes a Visual Basic Script (VBS), which chains to an obfuscated PowerShell loader.
This loader, in turn, downloads encrypted payloads and deploys Electron-based binaries engineered for persistence, privilege escalation, and stealth.
Key stages of the infection chain involve downloading password-protected 7-Zip archives from GitHub’s standard code delivery endpoints.
Once extracted, executable components (e.g., SearchFilter.exe and taskhostw.exe) enact post-execution system reconnaissance, anti-debug, and UAC bypass routines.
The malware disables Windows Defender and system restore mechanisms using specialized scripts (disabledefender.ps1), erases shadow copies, and manipulates Windows registry keys to harden its foothold.
Persistence is achieved through the creation of scheduled tasks masquerading as legitimate system jobs (such as “BitLocker Encrypt All Drives”).
According to Trend Micro Report, these tasks ensure long-term execution of malicious binaries under innocuous names and directories, such as OneDriveCloud and Microsoft\Vault\UserProfileProgramFiles.
Each stage of the operation leverages privilege escalation, obfuscation, and anti-analysis techniques to evade detection by traditional endpoint defenses.
Exfiltration and Targets
The final malware payload collects broad system, network, and hardware fingerprints, scans browser data for credentials, session cookies, and autofill information, and stages exfiltration archives containing sensitive data.
Stolen information is compressed using local copies of 7-Zip and exfiltrated via legitimate cloud and messaging services (such as Gofile and Telegram), further complicating detection.
While Water Curse’s campaign primarily targets cybersecurity professionals, penetration testers, and red teams through trojanized hacking utilities, its reach extends into game development, DevOps, and even gaming communities by embedding malware in cheats and automation tools.
The group’s technical versatility is underscored by the use of diverse languages and frameworks, including PowerShell, JavaScript, C#, and Electron, reflecting a broad, financially motivated threat model.
The Water Curse campaign highlights the escalating risk of supply chain compromise in open-source software.
The attackers’ systematic use of GitHub and open collaboration platforms transforms trusted environments into vectors for sophisticated attacks.
Their tactics echo the emerging trend of developer-oriented infostealers that blur the boundary between legitimate red team tooling and active malware.
Experts recommend rigorous auditing of downloaded open-source tools, with particular caution toward unfamiliar build routines and excessive code obfuscation.
Organizations are urged to validate repository histories, employ internal mirrors for critical dependencies, and adopt advanced MDR solutions capable of correlating telemetry and exposing advanced persistent threats.
Vendors like Trend Micro have responded by updating detection rules and providing guidance to mitigate Water Curse’s observable indicators of compromise.
The Water Curse operation is a stark reminder of the vital role of vigilance and technical scrutiny in the open-source ecosystem.
The campaign’s scale and sophistication demonstrate how targeted supply chain attacks can ripple far beyond their initial vector, threatening the broader IT and developer community worldwide
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
