A sophisticated threat actor known as Water Curse has exploited the inherent trust in open-source software by weaponizing at least 76 GitHub accounts to distribute malicious repositories containing multistage malware.
The campaign represents a significant supply chain risk, targeting cybersecurity professionals, game developers, and DevOps teams who regularly rely on GitHub-hosted tools and utilities in their work environments.
The malicious operation involves embedding hidden payloads within legitimate-appearing penetration testing tools, including an SMTP email bomber and Sakura-RAT, which are presented as authentic security utilities.
.png
)
These weaponized repositories exploit the widespread trust placed in open-source platforms, deceiving users into downloading and executing compromised code that initiates complex infection chains utilizing obfuscated Visual Basic Script and PowerShell components.
Trend Micro analysts identified Water Curse in May 2025, though evidence suggests the group’s malicious activities date back to March 2023.
The researchers noted that the threat actor employs a financially motivated approach, with observed behaviors indicating goals such as credential theft, session hijacking, and the resale of illicit access credentials across multiple victim categories.
The campaign’s global scope is characterized by English-language artifacts and widespread GitHub-based delivery mechanisms, targeting a generalized victim base spanning multiple geographies.
Water Curse demonstrates high technical adaptability through its use of diverse programming languages including PowerShell, JavaScript, C#, VBS scripts, and compiled PE binaries, indicating access to cross-functional development capabilities.
This operation underscores a growing trend of developer-oriented information stealers that blur the distinction between legitimate red team tooling and active malware distribution, creating significant challenges for security teams attempting to differentiate between authentic and malicious open-source resources.
Sophisticated Infection Mechanism and Multi-Stage Payload Delivery
The Water Curse infection process begins when victims download ZIP archives through GitHub’s standard codeload.github.com domain, with malicious payloads embedded within Visual Studio project configuration files.
.webp)
The embedded malicious code resides within the “ tag, which triggers automatically during code compilation, dropping a VBS script for subsequent execution stages.
The initial VBScript component, executed via cscript.exe, deploys a PowerShell-based second-stage script that performs decryption and loads additional payloads using custom key derivation routines.
This obfuscated PowerShell script queries multiple domains including rlim.com, github.com, and popcorn-soft.glitch.me, while downloading the 7-Zip utility to extract password-protected archives.
The extracted components reveal an Electron-based application containing SearchFilter.exe, which demonstrates sophisticated post-execution behaviors including system reconnaissance, privilege escalation, and anti-debugging techniques.
Upon execution, the malware performs comprehensive system enumeration through commands such as powershell -ExecutionPolicy Bypass -Command "(Get-WmiObject Win32_OperatingSystem).OSArchitecture" to determine system architecture and wmic path win32_videocontroller get name to identify installed graphics hardware.
The complete Water Curse infection chain shows each stage from initial access through persistence establishment and data exfiltration.
The malware’s persistence mechanism involves creating scheduled tasks masquerading as legitimate system processes, including “BitLocker Encrypt All Drives” configured to execute every five minutes with an unusually long duration of 9999 hours and 59 minutes, ensuring sustained system control across reboots and user sessions.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
