%20(1).webp?w=1600&resize=1600,900&ssl=1)
Security researchers have identified a GitHub repository hosting multiple malicious executables, including ransomware and advanced post-exploitation tools, marking the latest escalation in software supply chain attacks.
The “Lean789/rueht” repository contains files like Mizedo.exe, toyour.exe, and mimikatz.exe, which exhibit behaviors consistent with credential theft, lateral movement, and data encryption.
This discovery coincides with a broader campaign of repo confusion attacks affecting over 100,000 GitHub repositories, where threat actors mimic legitimate projects to distribute obfuscated malware.
Repository Analysis Reveals Multi-Stage Attack Infrastructure
The malicious repository employs Microsoft Edge processes to download Mizedo.exe, a ransomware payload with a SHA256 hash 1B2AAB7A2B355B073A085A8BBFE1CAD1C7AB8802C9FCFB6667A2A4D42101652B.
Dynamic analysis reveals the executable encrypts files using hybrid cryptosystems while exfiltrating browser credentials and cookies to command-and-control servers.
Concurrently, the repository hosts mimikatz.exe, a notorious tool for extracting plaintext passwords and Kerberos tickets from Windows’ LSASS memory.
This combination enables attackers to first compromise credentials for lateral movement before deploying ransomware—a tactic observed in high-profile campaigns like NotPetya.
Threat actors leverage GitHub’s credibility to bypass traditional security filters, with the repository remaining active for 11+ days before detection.
The toyour.exe and Dpose.exe files exhibit similar ransomware behaviors, including anti-analysis checks and seven-layer obfuscation routines.
Mimikatz Integration Enables Enterprise Network Compromise
The inclusion of Mimikatz transforms these attacks from isolated incidents into systemic threats.
By exploiting Windows authentication protocols like WDigest and Kerberos, Mimikatz facilitates Pass-the-Hash, Golden Ticket, and Silver Ticket attacks—techniques allowing attackers to impersonate domain administrators.
Security firm Darktrace notes that such capabilities enable ransomware operators to disable endpoint protections, escalate privileges, and encrypt Active Directory forests.
Recent variants automate LSASS memory dumping through APIs like MiniDumpWriteDump, evading detection by signature-based antivirus solutions.
When combined with the repository’s ransomware modules, this creates a self-propagating attack chain: stolen credentials enable lateral movement, while ransomware disrupts operations and pressures victims into paying ransoms.
Repo Confusion Campaigns Exploit Developer Workflows
This incident aligns with Apiiro’s findings on repo confusion attacks, where threat actors upload malicious clones of legitimate repositories to GitHub.
Attackers use naming conventions like “🔥 2024 language:python” to lure developers, embedding payloads that deploy info-stealers like BlackCap-Grabber.
Despite GitHub’s automated takedowns, manual uploads persist—1% of 100,000+ infected repositories remain active, exposing millions of users.
Mitigation requires multi-layered defenses:
- Runtime monitoring for LSASS access attempts and unusual Kerberos ticket requests
- Code provenance verification using tools like Sigstore to authenticate repository legitimacy
- Behavioral analytics to detect file encryption patterns and anomalous network traffic
GitHub has disabled the “Lean789/rueht” repository, but experts warn that similar campaigns will persist as attackers refine social engineering tactics.
The incident underscores the critical need for software bill-of-materials (SBOM) adoption and proactive threat hunting in developer ecosystems.
As supply chain attacks grow in sophistication, organizations must prioritize credential protection, memory security, and repository vetting.
The convergence of Mimikatz-based credential theft and automated ransomware deployment represents a paradigm shift in cybercriminal tactics—one that demands equally innovative defenses.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This%20discovery%20coincides%20with%20a%20broader%20campaign%20of%20repo%20confusion%20attacks%20affecting%20over%20100,000%20GitHub%20repositories.){kind=link}